Today (1 June) marks 30 days until 1 July 2021 by which time all organisations need to ensure compliance with the provisions of the Protection of Personal Information Act (POPIA). Whilst many entities were hoping for an extension of the 12-month grace period afforded to organisations to comply with POPIA, the Information Regulator has recently indicated that no extension will be granted.
So now what? With the deadline for compliance looming, here are a few steps you can take to get you closer to being ‘POPIA ready’.
Personal information: What and why?
Under POPIA, organisations will be required to process personal information (information identifying natural and juristic persons) lawfully and on the basis of one of the justifiable grounds contained in POPIA. In order to do so, organisations should establish what personal information it collects in relation to, for example, its customers, suppliers, and employees, and determine whether the collection of such personal information is for a lawful purpose relating to its functions or activities.
Appoint and register your Information Officer
Every organisation that processes personal information in South Africa, regardless of its size or form, will be required to appoint and register its information officer with the Information Regulator. An organisation can register its information officer on the online portal established by the Information Regulator which can be accessed via the Information Regulator’s website or by completing the prescribed registration form and manually submitting it to the Information Regulator (either by delivering the form to its physical address, or by emailing it to: registration.IR@justice.gov.za).
Demonstrate how you intend to comply
Information officers are required to develop and implement a compliance framework and to conduct impact assessments to ensure that their organisations’ internal processes comply with POPIA. Each organisation is accordingly encouraged to look at its existing structures and to establish a framework to demonstrate compliance based on its specific operational requirements.
Update your manual
Under the Promotion of Access to Information Act, the majority of organisations were required to establish a manual which served as a roadmap on how to request information and records held by the organisation. POPIA now requires organisations to update their manuals for purposes of facilitating requests for personal information.
In the interests of transparency, each organisation is required to take steps to provide data subjects with details relating to how the organisation intends to process the data subject’s personal information before it may collect any personal information. Organisations should thus commence putting in place appropriate processing notifications.
Assess your security
Under POPIA, organisations are required to put in place technical and organisational measures to mitigate against security breaches. The security measures should comply with generally accepted information security practices, such as back-ups, virus programs and encryption. The appropriateness of the security measures will ultimately depend on the organisation’s operations and processing activities.
Train, train and train again
As the majority of security breaches are as a result of human error, it is vital to make the organisation aware of the requirements of POPIA and to conduct ongoing training and skills development in a manner that is relevant to personnel who handle and process personal information.
Do not panic
Although POPIA compliance may seem daunting, do not panic. Obtain support from key stakeholders and staff and start by tackling the requirements one step at a time.