The Protection of Personal Information Act (“POPIA”), which commenced on the 1 July 2021, is here to stay! July and August saw a flood of POPIA Notices and documentation being issued and now finally the dust appears to be settling.
This legislation, among other things, promotes the protection of personal information processed by public and private bodies, introduces minimum requirements for the processing of personal information, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for violations of the law.
POPIA obliges the responsible party which is processing the personal information to comply with the following 8 requirements:
- Accountability – You are responsible for ensuring that the conditions for lawful processing are met.
- Processing limitation – Personal information must be processed lawfully, minimally, in accordance with the consent, justification and objection provisions, and with the data subject’s consent, unless certain exceptions apply.
- Purpose specification – Personal information must be processed for a specific purpose and there must adherence to the retention and restriction of records provisions in POPIA.
- Further processing limitation – Further processing of information must be compatible with the purpose of collection.
- Information quality – Reasonably practicable steps must be taken to ensure that personal information is complete, accurate, not misleading and updated.
- Openness – A responsible party must maintain the documentation of all processing operations under its responsibility and take reasonably practicable steps to ensure that the data subject is aware of certain information.
- Security safeguards – A responsible party must: (i) secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures; (ii) in terms of a written contract, ensure that an operator which processes the requisite party’s personal information establishes and maintains particular security measures; and (iii) as soon as reasonably possible after the discovery of a compromise, notify the Information Regulator and the data subject.
- Data subject participation – Data subjects may request confirmation of whether their personal information is held, as well as the correction and/or deletion of any personal information being held.
We have all seen, or come across, a compliance checklist for POPIA for the purpose of assisting us in aligning ourselves with most of the requirements issued by the Information Regulator, which includes:
- Appointing and registering an Information Officer for your business.
- Privacy impact assessments.
- POPIA compliance framework.
- POPIA Manual and Policies.
- POPIA training sessions with employees.
- Data processing agreements with third party service providers.
- Updating of employment contracts.
Once your house is clean and in order what then?
First, remember that to ensure compliance with the Regulator’s requirements, you must be able to demonstrate that the points mentioned above are practically implemented in your organisation and this must take place on an ongoing basis. Second, ongoing due diligence will be required. POPIA and ongoing due diligence is a reality that most organisations do not want to deal with but the reality is that when the Information Regulator enforces actions on offenders for non-compliance, we will be forced to pay attention. The potential fines for non-compliance are substantial.
An ongoing due diligence program for POPIA should include:
- Conducting privacy/personal information impact assessments annually to ensure that the business keeps its finger on the pulse of the flow of data in the organisation.
- Reviewing and updating the POPIA compliance framework for your organisation.
- Reviewing and updating your POPIA Manual and Policies annually or at a frequency commensurate with the size and nature of your organisation.
- Ensuring that POPIA training is ongoing (including training of new employees) and that refresher training sessions are conducted at least annually to keep employees up to date.
- Reviewing and updating where necessary all contracts with employees, third party service providers and suppliers at a frequency commensurate with the size and nature of the organisation.