To become compliant with the PoPI Act does not happen overnight. Here are the ten things you must do now (in no specific order).
You have to work at it. You also do not have much time left before the full force of the Act kicks in.
The areas of our biggest concern are the following:
- Cross-border transactions, including EU countries where the GDPR framework – similar to our PoPI Act – applies.
- Outsourcing of processes.
- Collection and processing.
- Retention and destruction.
- Data Security.
Here are the ten things you must do now, we believe.
1 Appoint a PoPIA Implementation Team
We believe that companies with 50 or more employees should establish a PoPIA Implementation Team (“PoPI Team”). It’s role and function is to oversee and co-ordinate the process of becoming PoPI compliant. This team is lead by the Compliance Manager, reporting to the Audit & Risk Committee of the Board.
2 Identify Sources and Usage of Personal Information
The typical sources are your personnel, suppliers, service providers, and clients. Lesser-known sources are failed job applicants and security gate visitors. Even visitors to your website if they leave some details behind. Visitor identity management becomes important.
The PoPI Team takes responsibility to fully understand the need for, processes, and usage of personal information across all Departments.
3 Develop an Opt-in Authorisation form
In general, an “opt-out” or “unsubscribe” option only is currently available. If you do not like some of the hordes of newsletters and emails you receive daily, you have to opt-out.
Never mind how they got your details in the first place.
Not any more.
From 1 July 2021, you have to grant specific opt-in authority for your personal information to be used, including the purpose for which it will be used.
4 Managing Risk & Compliance issues
If not already done:
- implement a company-wide enterprise risk and compliance management solution, and
- appoint a compliance manager responsible for company-wide legal and regulatory compliance.
Utilise the Heads of each Department to define and review the risk and compliance issues particular to his/her department. The Compliance Manager must be made responsible to coordinate, manage, and oversee implementation. Reach agreement on the risk mitigation and compliance procedures needed. Remember always that compliance requires a balancing act between the rights of the data subject and that of your company.
Data access and data security measures have to receive specific focus, particularly deliberate data breaches committed by aggrieved staff.
5 Implement an Incident Management procedure
If not already done, design, and implement an Incident Management procedure. This should be integrated with the Risk & Compliance solution.
Reportable incidents should not be the responsibility of the Compliance Manager. It should fall under a committee comprised of senior managers with different skills sets, and lead by the Head of Internal Audit.
6 Bring management of all data records onshore in SA
Data processing of personal information records has to be done inside South Africa unless each data subject has granted specific consent for it to be done outside SA.
Thousands of businesses make use of CRM systems such as SalesForce and ZohoCRM, neither of which host their services in SA. This must be attended to.
7 Heads of Departments must take responsibility
All Heads of Department where personal information records are maintained, must undertake a detailed analysis and assessment of the processes and procedures hitherto followed to gather, record, amend, use and delete personal information records of data subjects.
These are typically the Debtors, Creditors, HR, IT, Finance, Marketing, and Security departments.
8 Assess third-party service providers’ processes
Many companies make use of the specialist services of third-party service providers, particularly in the HR field.
Oversight of their ongoing compliance with the provisions of the PoPI Act must form part of the service agreement you have with each of them.
9 Review all Access Control procedures
Data breaches happen when inadequate access control procedures are in place. This mostly applies across the company’s IT network but includes access to the premises of the company and even gaining access to a senior official at the reception desk.
The compliance Manager must regularly review these processes.
10 Directors, Executives & Staff awareness programs
The Audit & Risk Committee of the board should initially drive the development and operation of a series of awareness programs within the company. The Compliance Manager should develop these and must ensure that it forms part of all induction programs applicable to new directors, executives, and staff.