• Subscribe   
  • Subscribe   

POPI Act: let’s get you started

POPI Act Working Towards Compliance

We started this series with a quick look at the definition of personal information, when the Act will apply and similarities and differences in relation to the GDPR. In post 2, we looked at the role players, as well as categories of data subject and operators.  

In this third and final post, Stergios Saltas shares a couple of steps that will provide quick wins and then the longer term projects that are required to work towards POPI compliance.

First: know the timeline. The POPI commencement date was officially 1 July 2020, which fixes the deadline for organizations to comply with the provisions of the Act – the deadline is 1 July 2021.

Many organizations already have plans in place and teams responsible for each workstream.

But, in case you are a) overwhelmed and not sure where to start, or b) concerned that you’ve missed something; here are some actions to consider.

Actions that will provide quick wins

  1. Understand the scope – document the categories of data subjects within your company and describe the personal information that is processed for each.
  2. Assign data privacy responsibility – appoint an information officer and a data privacy team who will be responsible for reaching and maintaining POPI compliance. Be sure to include representatives from each data subject category (HR, sales and marketing) and from functional areas, such as technology, operations and information security.
  3. Draft a privacy policy – fortunately, you don’t have to start from scratch, as there are many templates available online. It also helps to look at the privacy policies of other companies in your space.
  4. Raise employee awareness – draft a series of communications to employees about the intention of the Act, what is required from the company and what is expected of each employee. Enlightened employees are an important factor in keeping information secure.

Outputs that require specialist skills and/or a longer term project plan – required to work towards POPI compliance

  1. Starting point – using the categories of data subjects you defined above, map the flow of personal information into, through and out of your business, including external parties that have access to that information.
  2. Perform a gap analysis – identify the areas of data flow in your business that do not conform to the requirements of the Act. This requires a team that has familiarized themselves with the data privacy obligations.
  3. Audit your vendor contracts – if you use vendors and personal data is transferred from your business to theirs to perform a function, the agreement between the parties needs to place adequate obligations on both parties regarding the protection of that information.
  4. Operators, audit your client contracts – although POPI places the responsibility for data protection on the responsible party, best practice and logic dictates that the agreement between a responsible party and an operator must deal with each party’s obligations when it comes to data protection.
  5. Plan for worst case – draw up a response plan in the event that your company does experience a data breach. The plan must detail who is responsible for investigating the incident, as well as who is responsible for communicating with the affected parties. 

What are the Penalties for non-compliance?

There are essentially two types of legal penalties for non-compliance with the provisions of the Act. For example, the information regulator can find an organization guilty of non-compliance through negligence and impose a fine on the organization of between R1 million and R10 million, while the people responsible for data privacy could face1 to 10 years in jail.

These are, however, just the legal penalties. There are other impacts on a business if found ignorant or negligent when it comes to data privacy. This includes reputational damage, which in turn can lead to withdrawal of funding, loss of customers and a reduction in new business.

Looking for a digital communications partner that is POPIA compliant?

By submitting your details via this form, you are consenting that we receive and store your information for the exclusive purpose of contacting you.
  • We will not share or publish your information or process it for any other reason.
  • Once your request is fulfilled, we will either delete your information or request your consent for further processing.
  • Please find additional information in our Privacy policy.
View our Terms of use | Protected by reCAPTCHA.

Stergios Saltas

Stergios Saltas

Operations Director, Africa

Stergios Saltas is Operations Director at Striata, with a focus on the Africa region.

With 20 years’ experience in the ICT industry, Stergios is responsible for guiding the strategic direction and daily operations of the African business. During his career at Striata, Stergios mastered a wide range of roles where he oversaw the management and delivery of messaging solutions.

Stergios is dedicated to understanding client needs and executing solutions with precision; ensuring that Striata products meet the highest standards of quality and functionality; while promoting the wellbeing of Striata’s valuable resources.

Read more of Sterg's blog posts here or connect with Stergios on the following social channels: