What you can do to ensure your organisations's compliance with POPIA

The President has not announced the promulgation date of POPIA, despite media claims.

Despite media reports stating that the Protection of Personal Information Act (POPIA) has been implemented from 1 April, President Cyril Ramaphosa has not announced the promulgation date in the Government Gazette

According to corporate law firm Michalsons, the Information Regulator asked the President to proclaim the act by 1 April, but he has not done so. “He obviously has a lot on his plate and he is dealing with a crisis – in our view very well,” the firm said in a statement.

The purpose of POPIA is to protect people’s personal information in order to stop money and identity theft and to protect their privacy, which is a fundamental human right.

While many might think that privacy is the last of our concerns amid the Covid-19 pandemic, according to Michalsons it is more important than ever, because:

  • Cybercrime has increased during the crisis.
  • With employees working from home, the security of information is at a higher risk.
  • There needs to be safeguarded against the abuse of data as the government uses location information to track the disease and infected people.
  • Infected people’s reputations are on the line and it’s important to protect their identities.

The uncertainty of POPIA’s commencement date could delay organisations from putting the right measures of in place, but according to KnowBe4 director of data privacy Lecio de Paula (pictured), companies can start making sure they comply with the new act by taking the following steps:

Conduct a business privacy impact assessment
To determine where your business stands in terms of POPIA’s requirements, you need to identify privacy risks in your organisation and come up with a plan to either remediate or accept them. 

Focus on the pressing issues you have chosen to remediate
Tailor your approach to the type of organisation you’re in and tackle each issue with a risk-based approach. High-risk processes should always come first. 

Start with client or customer personal data processes and work your way towards employee personal data. Executive buy-in is a must as you will have to collaborate with different departments within your organisation. 

Create a system to effectively monitor the controls you’ve put in place
Automation is important to ensure you have a robust privacy program with limited resources. Leveraging a governance, risk and compliance tool to help you conduct assessments, map controls and data flows will help you in the long run. 

If your organisation doesn’t have the budget for this tool, using a cloud drive folder to set up templates and upload compliance documentation could still work. 

Auditing every location personal data is stored
Organisations should maintain audits of personal data storages. This means identifying what controls are in place to protect data (technical controls, establishing the legal basis for processing, CIA triad), and documenting those controls. 
 
It’s important to understand how, where and why your organisation stores personal data. If you can’t answer these questions, you won’t be able to comply with other aspects of POPIA.