Today marks the one month mark until crucial elements of the Protection of Personal Information Act (PoPIA) come to the fore. Organisations that handle data have had a full year to properly prepare for PoPIA to come into play on 1st July 2021, but as has been the case in the years preceding, many businesses have been lax in their efforts.
With 30 days left to go, Nadine Mather, senior associate at Bowmans, has unpacked some of the important steps that businesses need to have taken or must now take in order to properly prepare for PoPIA.
“Whilst many entities were hoping for an extension of the 12-month grace period afforded to organisations to comply with POPIA, the Information Regulator has recently indicated that no extension will be granted,” the senior associate warns.
“Under POPIA, organisations will be required to process personal information (information identifying natural and juristic persons) lawfully and on the basis of one of the justifiable grounds contained in POPIA. In order to do so, organisations should establish what personal information it collects in relation to, for example, its customers, suppliers, and employees, and determine whether the collection of such personal information is for a lawful purpose relating to its functions or activities,” she adds.
For those organisations that have left it late, this is what Mather advises.
What you need to do
The first step is to appoint and register an information officer. Every organisation that processes personal information in South Africa, regardless of its size or form, will be required to appoint and register its information officer with the Information Regulator.
Registering an information officer can be done on the online portal established by the Information Regulator here. You can also complete the registration forms and send them in person to the Regulator’s or via email to registration[dot]IR[at]justice[dot]gov[dot]za.
Following the crucial step of registering an information officer, organisations will need to demonstrate how they intend to comply. Information officers are required to develop and implement a compliance framework and to conduct impact assessments to ensure that their organisations’ internal processes are POPIA compliant.
“Each organisation is accordingly encouraged to look at its existing structures and to establish a framework to demonstrate compliance based on its specific operational requirements,” adds Mather.
The information officer’s duties do not stop there, however, as each organisation has also been encouraged to create a manual as how they plan to request records and data under the Promotion of Access to Information Act. As such, an up to date manual is essential, according to Mather.
The next step is less logistical, but no less important, as organisations will need to showcase a high level of transparency.
“In the interests of transparency, each organisation is required to take steps to provide data subjects with details relating to how the organisation intends to process the data subject’s personal information before it may collect any personal information,” highlights Mather.
Once transparency is addressed, the same thing needs to happen with security. We have seen a rise in cyberattacks since the pandemic began last year and this shows no signs of lessening any time soon. As such, organisations who are not PoPIA compliant are definite targets as it likely means that they have not looked at their security in some time.
The last thing you want is to suffer a data breach on information that was not PoPIA compliant.
The final step is linked to security, as well as being an ongoing one, according to Mather – train, train and train some more. This as the majority of security breaches are as a result of human error. “It is vital to make the organisation aware of the requirements of POPIA and to conduct ongoing training and skills development in a manner that is relevant to personnel who handle and process personal information,” she stresses.
With 30 days left to go, those organisations that have not addressed PoPIA are likely scrambling now, but Mather’s final word of advise is to remain calm and take a measured approach.
“Although POPIA compliance may seem daunting, do not panic. Obtain support from key stakeholders and staff and start by tackling the requirements one step at a time,” she concludes.
While being methodical is important, what cannot be overstated, is the importance that PoPIA compliance is a non-negotiable for organisations operating in South Africa.