POPI Act: let’s get you started
We started this series with a quick look at the definition of personal information, when the Act will apply and similarities and differences in relation to the GDPR. In post 2, we looked at the role players, as well as categories of data subject and operators.
In this third and final post, Stergios Saltas shares a couple of steps that will provide quick wins and then the longer term projects that are required to work towards POPI compliance.
First: know the timeline. The POPI commencement date was officially 1 July 2020, which fixes the deadline for organizations to comply with the provisions of the Act – the deadline is 1 July 2021.
Many organizations already have plans in place and teams responsible for each workstream.
But, in case you are a) overwhelmed and not sure where to start, or b) concerned that you’ve missed something; here are some actions to consider.
Actions that will provide quick wins
- Understand the scope – document the categories of data subjects within your company and describe the personal information that is processed for each.
- Assign data privacy responsibility – appoint an information officer and a data privacy team who will be responsible for reaching and maintaining POPI compliance. Be sure to include representatives from each data subject category (HR, sales and marketing) and from functional areas, such as technology, operations and information security.
- Raise employee awareness – draft a series of communications to employees about the intention of the Act, what is required from the company and what is expected of each employee. Enlightened employees are an important factor in keeping information secure.
Outputs that require specialist skills and/or a longer term project plan – required to work towards POPI compliance
- Starting point – using the categories of data subjects you defined above, map the flow of personal information into, through and out of your business, including external parties that have access to that information.
- Perform a gap analysis – identify the areas of data flow in your business that do not conform to the requirements of the Act. This requires a team that has familiarized themselves with the data privacy obligations.
- Audit your vendor contracts – if you use vendors and personal data is transferred from your business to theirs to perform a function, the agreement between the parties needs to place adequate obligations on both parties regarding the protection of that information.
- Operators, audit your client contracts – although POPI places the responsibility for data protection on the responsible party, best practice and logic dictates that the agreement between a responsible party and an operator must deal with each party’s obligations when it comes to data protection.
- Plan for worst case – draw up a response plan in the event that your company does experience a data breach. The plan must detail who is responsible for investigating the incident, as well as who is responsible for communicating with the affected parties.
What are the Penalties for non-compliance?
There are essentially two types of legal penalties for non-compliance with the provisions of the Act. For example, the information regulator can find an organization guilty of non-compliance through negligence and impose a fine on the organization of between R1 million and R10 million, while the people responsible for data privacy could face1 to 10 years in jail.
These are, however, just the legal penalties. There are other impacts on a business if found ignorant or negligent when it comes to data privacy. This includes reputational damage, which in turn can lead to withdrawal of funding, loss of customers and a reduction in new business.