It’s August. For me, this usually means cold, unpleasant winds blowing with the slowly changing seasons moving from winter to spring. For some businesses, August also means the end of the financial year
- which can be either a good or bad thing, depending on what happened during the past financial year.
This year, Covid-19 may have impacted your business, which left little spare change to spend on something that seems as far off as POPIA compliance, since the Act has been on the legislative waiting-list for over a decade. Well, now that the majority of the provisions of the Protection of Personal Information Act (“POPIA”) have finally come into force (with effect from 01 July 2020), you may want to rethink that strategy and begin working on a POPIA compliance plan for your business.
I often hear business-owners saying that they have not bothered to spend money on becoming POPIA compliant because there have not yet been any consequences for non-compliance. This is true, because the majority of the Act has only now come into force.To quote former U.S. Deputy Attorney General Paul McNulty: “If you think compliance is expensive, try non-compliance.”
The same rings true for POPIA, as severe penalties may be imposed for non-compliance with the provisions of the Act
and due to changing consumer expectations that necessitate privacy policies to be in place. Some research even indicates that the financial benefit of businesses that invest in strong data protection practices may far outweigh the costs associated with becoming compliant. This is because compliance with data protection and privacy standards will likely increase customer confidence in organisations that prioritise POPIA compliance.
But where will you find the time to start a project like this? Well, if you think about it, the lockdown period may be an ideal time for you to kick-start your POPIA compliance project
as many business owners and employees may have extra time on their hands due to the harsh economic impact on various sectors and the many restrictions which were so devastating to businesses. In other words, maybe business is not booming now and you finally have time to focus on matters such as compliance before the pace picks up again.
Here are a few tips on how to start planning your POPIA compliance project
during lockdown and include POPIA in your annual budget planning
Assemble a POPIA compliance project team
Determine who will be the Information Officer and Deputy Information Officers for your business. The Information Officer is an individual within an entity or institution, who is charged with ensuring compliance with POPIA and being responsible for the governance, management and security of personal information. The default Information Officer will generally be the executive head of that entity or institution, as well as any person duly appointed by the Information Officer to perform his or her duties.
After identifying the above individuals, consider adding the IT-guy, HR, sales and legal to the POPIA compliance team to ensure that all bases of your business are covered, as these different departments may offer valuable insight on how POPIA should be implemented practically across the full spectrum of your business.
- Conduct a preliminary investigation
Now that you have a task force assembled, get the POPIA compliance team to consider the following as a preliminary investigation aimed to establish how your business processes personal information:
- What customer information does your business collect?
- How does your business store the customer information which you collect?
- Where is the customer information stored and who has access thereto?
- Is the information of customers transferred to any third-party operators?
- What employee information do you have and where do you store it?
- Who has access to employees HR files and to which third-parties is information shared (such as pension funds, medical aid, etc.)?
- What services providers does your business use and do they have access to your customer or employee information?
- How secure is the personal information which you store (think about physical barriers as well as technical security measures such as anti-virus programmes which you use)?
- Does your business engage in direct marketing and how is this done (electronically or by telephone/in person)?
- How is the personal information that your business collects and stores eventually destroyed? Is the method of destruction and/or deletion secure?
- Does your business sell any data that may contain personal information of others?
Work out a budget
Once you have an idea of what needs to happen and who will be on the POPIA compliance team for your business, you can get a better sense of how much outside help you will most likely need in order to become POPIA compliant. Ask a few service providers to send quotes to get the compliance process started. Lockdown is the perfect time to have these conversations and to start incorporating POPIA compliance in your annual budget planning.
Ask for help and approach experts
Don’t be scared to approach legal and IT experts for assistance to become fully POPIA compliant as data and privacy protection is a specialised field. Most businesses will not have the necessary tools or knowledge to do everything themselves.
Review your current policies
Get updated copies of all your policies which may involve elements related to the processing of information (think information security management, marketing or HR policies) and review them or have them reviewed by legal experts.
Consider whether these policies contain anything relating to personal information and whether it adequately describes how such information will be protected or sets out measures to be taken in order to ensure that data is handled in a secure manner. If gaps are identified in certain policies, make a list for future reference in order to include in your POPIA compliance plan and which can policies can be updated and implemented over time.
Draft a POPIA compliance plan and policy
Plan on how to achieve POPIA compliance and incorporate it in a formal business plan. This plan should clearly set out how your business will aim to become POPIA compliant and have set deadlines to achieve identified goals. The ultimate aim is to develop an overarching POPIA policy which sets out the implementation plan and how the business deals with the processing of personal information in a manner which is consistent with the provisions of POPIA from point of initial contact to destruction/deletion of such information.
It is understandable if POPIA is not your first priority at the moment. You have a lot of other things on your mind and may be stuck in crisis control or survival mode. We all know the saying that “summer bodies are made in winter”. Well, perhaps the same may be said for your business’ POPIA compliance in the time of Covid-19: work hard on compliance now in order to reap the benefits later when the sun starts shining again.