The year 2021 is here, being the year that businesses will have to become POPIA compliant or face the risk of being held accountable under the Protection of Personal Information Act 4 of 2013. It is therefore quite appropriate to prioritise POPIA compliance as one of your main New Year’s resolutions.
In the spirit of helping you ease into POPIA compliance, here are a few handy tips that can help you kickstart your POPIA compliance project:
Tip 1: Assemble a POPIA compliance project team
Tip 2: Conduct a preliminary investigation
- Determine who will be the Information Officer and Deputy Information Officers for your business.
- The Information Officer is an individual within an entity or institution, who is charged with ensuring compliance with POPIA and being responsible for the governance, management and security of personal information.
- The default Information Officer will generally be the executive head of that entity or institution, as well as any person duly appointed by the Information Officer to perform his or her duties.
- After identifying the above individuals, consider adding the IT-person, HR, sales and legal to the POPIA compliance team to ensure that all bases of your business are covered, as these different departments may offer valuable insight on how POPIA should be implemented practically across the full spectrum of your business.
Now that you have a task force assembled, get the POPIA compliance team to consider the following as a preliminary investigation aimed to establish how your business processes personal information:
Tip 3: Work out a budget
- What customer information does your business collect? Think about type and sensitivity, and whether it qualifies as personal information.
- How does your business store the customer information which you collect? Do you store everything online or in hard copy format?
- Where is the customer information stored and who has access thereto? Think about what information is accessed by all employees, what is limited to sales, HR versus the IT department or management.
- Is the information of customers transferred to any third-party operators? For example, for storage or destruction purposes?
- What employee information do you have and where do you store it?
- Who has access to employees HR files and to which third-parties is information shared (such as pension funds, medical aid, etc.)?
- What services providers does your business use and do they have access to your customer or employee information?
- How secure is the personal information which you store (think about physical barriers as well as technical security measures such as anti-virus programmes which you use)?
- Does your business engage in direct marketing and how is this done (electronically or by telephone/in person)?
- How is the personal information that your business collects and stores eventually destroyed? Is the method of destruction and/or deletion secure?
- Does your business sell any data that may contain personal information of others?
Tip 4: Ask for help and approach experts
- Once you have an idea of what needs to happen and who will be on the POPIA compliance team for your business, you can get a better sense of how much outside help you will most likely need in order to become POPIA compliant.
- Remember to include POPIA compliance in your annual budget planning.
- Ask a few service providers to send quotes to get the compliance process started
Tip 5: Review your current policies
- Don’t be scared to approach legal and IT experts for assistance to become fully POPIA compliant as data and privacy protection is a specialised field.
- Most businesses will not have the necessary tools or knowledge to do everything themselves and this is okay. Specialists will be happy to assist you on gaining compliance.
Tip 6: Draft a POPIA compliance plan and policy
- Get updated copies of all your policies which may involve elements related to the processing of information (think information security management, marketing or HR policies) and review them or have them reviewed by legal experts.
- Consider whether these policies contain anything relating to personal information and whether it adequately describes how such information will be protected or sets out measures to be taken in order to ensure that data is handled in a secure manner.
- If gaps are identified in certain policies, make a list for future reference in order to include in your POPIA compliance plan and which can policies can be updated and implemented over time.
- Plan on how to achieve POPIA compliance and incorporate it in a formal business plan.
- This plan should clearly set out how your business will aim to become POPIA compliant and have set deadlines to achieve identified goals.
- The ultimate aim is to develop an overarching POPIA policy
- which sets out the implementation plan and how the business deals with the processing of personal information
- in a manner which is consistent with the provisions of POPIA from point of initial contact to destruction/deletion of such information.
This is the year of POPIA, but it need not be daunting task if the right building blocks are put in place at the start.
Don’t procrastinate until it’s too late
– get the ball rolling this new year and kickstart your compliance project while there is still time to become compliant.
Should you need help, we have a range of POPIA related solutions
ranging from online training solutions to extensive POPIA compliance plans that can be tailored for your business’ needs and to assist you with your POPIA compliance.