Is your Organisation POPIA Ready?

• South Africa

• Technology

29-05-2020

It’s been a long time coming, but the Protection of Personal Information Act 4 of 2013 (“POPIA”) should finally come into full force soon. Initially, the President was expected to proclaim that the (material) remaining provisions of POPIA come into force on 1 April 2020. Inevitably, the global COVID-19 pandemic meant that this date was postponed, but it is still not clear by how long.

On 12 May 2020, the Information Regulator made an urgent plea to government to bring POPIA in to full force, citing the adverse effects that the absence of fully functional and effective personal information regulatory authority is beginning to have on the country. When the President acts on the Information Regulator’s request, which should be sooner rather than later, organisations will have a twelve month grace period within which to become fully compliant.

Giving teeth to South Africa’s constitutionally enshrined right to privacy, POPIA is a comprehensive piece of data privacy legislation that protects against the unlawful collection, retention, dissemination and use of personal information. The powers of the Information Regulator are extensive and the penalties for contravention severe. Non-compliance with POPIA may result in administrative fines of up to R10 million, imprisonment, penalties, civil damages and most importantly, reputational harm.

POPIA is extremely broad in scope and applies to just about every private or public body (either based in South Africa or outside of it), if that party processes personal information within South Africa. This includes sole traders, partnerships, trusts, SMEs, large corporations, government entities, foreign companies and anything else in between. The definition of “personal information” is similarly expansive, and includes a person's Identity number, email address, phone number, marital status, biometrics, employment history, banking information, health-related information, data related to their economic status, personal views and private correspondence – even online identifiers such as IP addresses and cookies are deemed personally identifiable information. POPIA goes a step further than most data protection legislation, in that it includes juristic persons under the definition of data subjects.

It takes time to plan for changes of this magnitude and to integrate the principles of data protection into business processes. While 12 months may seem like sufficient time to ensure compliance, South African businesses would be well advised to start preparing for compliance early on (even before POPIA comes into force) - particularly if the mad scramble that preceded the 25 May 2018 deadline for General Data Protection Regulation (GDPR) in the EU is anything to go by (and avoid).

One step at a time

The first port of call for any organisation is to consider the role of the information officer. For a private company, the information officer will be the CEO, or a person duly authorised by the CEO for that purpose. Published on 14 December 2018, the POPIA regulations extend the information officer’s duties, and impose certain mandatory responsibilities. The role of information officer is therefore a critical role, and not something that can be dealt with lightly.

The next step is to get the requisite buy-in from the organisation, and assign responsibility for driving forward POPIA compliance. From that point, each business unit or department can start with personal information audits to map what personal information is processed by the business, how it is collected, processed, stored and destroyed, and whether the requisite consents have been sought.

This level of visibility, early on, will put organisations in a much better position to perform proper gap analysis and prioritise those areas most at risk. Existing policies can be updated and, where necessary, new policies created and implemented to address the actual compliance gaps identified during gap analysis. These may well include updates to employment or supplier contracts, supplier on-boarding processes, marketing policies, consent wording, record retention policies, subject access request policies, and data protection policies. Organisations will also be required to develop, monitor and maintain a manual as prescribed in sections 14 and 51 of PAIA (which must be made available to any person upon request). In addition, organisations will be required to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent: (a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information.

It is the role of the information officer to ensure that the compliance framework is implemented, monitored, and maintained throughout the organisation. The final step to compliance would be to ensure the proper socialisation and implementation of systems, policies and procedures through training, internal awareness sessions, annual re-training, and compliance audits.

Please contact us should you wish to discuss any of the above processes and requirements.