The Protection of Personal Information Act (PoPIA) is already in effect, and businesses have until the end of June 2021 to be compliant. A business’ risk exposure or urgency depends on the type of data the organisation works with. If they make use of “Personal Information” and “Special Personal Information” (PI/SPI), they have a few days left to become fully compliant.
There are many variables at play when determining risk, so keep in mind that it also depends on the amount of data, the size of the organisation, risk exposure, and what controls are in place. If they make use of little or no PI/SPI, then it shouldn’t take too much effort to “clean house”.
No matter which industry businesses are in, they will be affected by PoPIA. For those that have not started this journey already, they will need to have a detailed roadmap with identified compliance gaps, as well as resource availability to execute on becoming fully compliant.
If they haven’t started yet, what are the first steps?
- Understand what is “Personal Information” and “Special Personal Information” (PI/SPI)
- Identify all PI/SPI in the organisation (think customers, employees and vendors)
- Understand what legal data retention periods are for all identified PI/SPI
- Assess all processes, procedures or systems that use PI/SPI for PoPIA compliance (document all relevant information flows)
- Assess all policies and legal agreements for PoPIA compliance
- Ensure there is a Data Breach Playbook
- Ensure there is a mechanism to obtain consent from data subjects as well as a mechanism which will allow them to request their data
- Document all efforts towards becoming compliant (have a portfolio of evidence)
- Appoint an Information Officer
- Train all staff and create awareness
- Conduct a Cyber Security Audit
Is there a checklist that you can share to be in a state of preparedness?
The steps listed above should get a business to a state of preparedness, but moving forward, I suggest that organisations makes use of an online assessment tool through iOCO, www.popitools.co.za. when creating new or updating existing processes, procedures or systems. Don’t think this is a once off exercise. Organisations will need to ensure that they train and educate teams regularly, and need to make sure that they test their controls on a regular basis. Prevention is better than cure.
By Sarita van der Walt from Wonga