The POPI Act came into effect 01 July 2020. Companies had 1 year to prepare for compliance with the deadline being 01 July 2021. Compliance may seem overwhelming. You will be surprised that it can be achieved in five easy steps:
1. Appoint or reassess the role of the information officer
In terms of the regulations under POPI, the duties imposed on the information officer have been extended and now include certain mandatory duties. The default information officer of a private body is its head, which is generally the CEO, unless it has been delegated. The first step to compliance would therefore be to appoint an information officer if the organisation does not already have one, or to reassess the role of the existing information officer in line with the requirements set out in POPI.
2. Create awareness
In order to ensure effective compliance, buy-in from senior management all the way down the chain of command is needed. Make sure employees understand what data privacy legislation entails and what is required of them. This can be achieved through interactive awareness training.
3. Personal information impact assessment
Once all employees are informed, self-assessments and audits should start throughout the organisation, within each business unit. It is important to understand what information is collected, how it is collected, by whom it is collected, what it is used for, how it is stored and processed, how it is retained and destroyed and whether it was collected with the necessary consent. Once self-audits are completed, there should be a clear understanding of how data is being processed in the organisation, and it will be in a position to identify gaps and produce a clear gap analysis and risk assessment report.
4. Develop a compliance framework, which can include processes and policies.
A proper gap analysis will help identify which processes and policies have to be put in place. These may include:
updates to employment contracts
updates to supplier agreements
changes to marketing practices (opt-in and opt-out best practice)
implementation of policies like: personal information sharing policy, security compromises policy, subject access request policy, CCTV camera policy, bring your own device policy, Promotion of Access to Information Act, 2000 ("PAIA") manual, to mention a few.
The compliance framework should be implemented, monitored and maintained. Policies and procedures do nothing to aid compliance if they not properly implemented. The last step to compliance would be to ensure the proper implementation of new policies and procedures through in-depth training, awareness campaigns, annual re-training and compliance audits.
Source: Blog, Ridwaan Botha
At DigiEra Learning we offer a 4-hour online programme and assessment to ensure that your team adopts a compliance mindset and that they are aware of protecting personal information as they carry out their daily tasks.
Contact Rita Govender: Cell: 082 804 6391 Email: email@example.com