Fifteen months after the Protection of Personal Information Act (POPI) was signed in Parliament (November 2013), there is still no official indication of when it will be fully enforced or even if any progress has been made in appointing an Information Regulator. In his State of the Nation address on 12 February, President Zuma did not even mention this business-changing Act, which was so heavily in the spotlight in 2013.
Says Alison Treadaway, Director at customer communication management specialist, Striata, “Organisations that process customer data, either of their own, or on behalf of other companies, may feel safe opting for a ‘wait and see’ approach. After all, once the full Act is enforced, we are expecting a grace period of one year before organisations have to comply.”
However, Treadaway says there are areas of compliance that will not be achievable in a one year period, so organisations should already be addressing them.
Can your business afford to wait?
“Whether or not your business can afford to wait and see is really dependent on your scale:
- The number of employees you have
- The number of data subjects whose information you hold
- The number of processes that consume data in your workflow
- The number of suppliers you have who touch your data
- How solid your information security is and so on…
Businesses with large numbers of any of the above will not be able to make the required changes in one year; especially since changes in some cases need to be made both retrospectively and going forward,” explains Treadaway
Treadaways says a business needs to evaluate its gaps in each of the primary affected areas and then determine whether the changes required to reach compliance are achievable in a 12 month timeframe. As a starting point, she recommends reviewing the following key areas:
Employees
Every organisation has employees. The size of your employee base and how much attention you’ve paid to where, why and how long you store information about employees will determine how much work is required to achieve compliance.
You will have to complete a review of how the following records are managed:
- Performance reviews
- Disciplinary documents
- Remuneration information for employees
- CVs, criminal/credit checks
- Offers for candidates you’ve interviewed
Legal
Contractual agreements that include the gathering and processing of Personal Information of employees, customers, partners or vendors will need to be reviewed or appended to cover the required data clauses. For example:
- Employee contracts need a clause giving consent to store and process personal information.
- Customer contracts require the same as above.
- If you share your customers’ Personal Information with a service provider (such as a WASP or ESP), your vendor agreements need to align with your contractual obligations to your customers.
Processes
Your customer/vendor/employee acquisition processes need to be amended to include information about a Data Subject’s rights and to record consent for processing. You will need new processes to handle queries about Personal Information regarding where you got it, if you have consent to use it, if is it accurate and complete. And perhaps most important, you will need processes to appropriately manage a data breach.
Security
Ensuring that Personal Information entrusted to your organisation is safe, requires security on both a physical and technical level. This means identifying and securing every filing cabinet, desk drawer, server, mobile device and desktop on/in which personal information resides. It also means understanding who has, and who should not have access to those locations, plus the ability to manage access permissions and audit trails.
Training
Everyone in your organisation has to be trained on the new processes and security measures. Depending on the size and distribution of your staff, this may be a small or a mammoth task. But it’s not only about training, it is also about ownership of the requirements at all levels of the organisation.These interventions will be easier for organisations with C-level buy-in and the right company culture.
“Businesses of a certain size may be able to park some of the changes until the Act comes into force. But most should be preparing in the areas which require exceptional investment (security) or large scale change management (training). And any business that is classified as an *Operator should be way ahead of the game in terms of both their own compliance and advising their clients on what is required. There is no question of an Operator waiting until the Act is fully enforced,“ concludes Treadaway.
*A person/company that is contracted to process personal information for a Responsible Party, but is not under direct authority of that party. So your digital agency, WASP and print provider are all considered operators, as they process personal data on your behalf