We are merely four months away from 1 July 2021, the day on which the POPI Act grace period comes to an end. In a previous newsletter, we identified 10 steps to take on your journey to becoming POPI compliant. The process of becoming compliant is comprehensive. However, we should bear in mind that the end-goal is to ensure that your FSP is able to protect client data. Think about it this way – it is about placing the client at the heart of your business, about client retention and ultimately about the long-term sustainability of your business, which one might say, makes the journey worthwhile and rewarding.
Many FSPs are also concerned about the duties and responsibilities of the Information Officer and whether they will be able to ensure compliance with the POPI Act by 1 July 2021. Another consideration is whether the Information Officer has the operational ability to continue to review relevant business processes to ensure ongoing compliance.
We have heard from our FSPs that limited time, due to other business requirements, and possible uncertainty of exactly how to implement the regulatory requirements is compounded by having to negotiate the COVID-19 pandemic, adapting to working from home and in many instances personal and business loss. This is leaving some FSPs at a loss as to how to progress toward the deadline of 1 July.
Research has identified a common overarching theme that not all businesses are confident that they are POPI compliant. According to an online data protection survey by ITWeb in partnership with KnowBe4 during September and October 2020, only 30% of South African organisations indicated that they were well prepared for compliance with the POPI Act, while 39% indicated that they were ‘somewhat’ ready, but more work needs to be done.
In which category does your business fall – well prepared or “somewhat’’ ready, but more work needs to be done?
We see a similar trend with our members. Some have taken action and are well prepared to meet the 1 July deadline, while others are not yet comfortable that they will be ready on 1 July and they know that more work needs to be done.
For this reason, you may be asking yourself:
- Am I well prepared in terms of POPI Act compliance?
- Do I have a Compliance Framework in place as required by Section 4 of the POPI Act Regulations dated 14 December 2018, including a project plan to guide me as the Information Officer?
- Will I have enough time to keep to my current business commitments and implement or oversee the POPI Act requirements?
- Am I aware of exactly how much personal information is stored by my business and who has access to all this information?
In this newsletter we provide a list of the types of activities that one should consider implementing. This is not a complete or exhaustive list by any means, but it does provide some guidelines of the activities to consider when moving toward POPI compliance by 1 July 2021. These activities can be used as a reference to measure your progress in terms of POPI Act compliance.
Have you confirmed your Information Officer and, where applicable, the Designated Deputy Information Officer(s) and registered him/her/them with the Regulator?
According to the Draft Guidelines on the Registration of Information Officers, the due date for registering an Information Officer with the Regulator is 31 March 2021.
Have you identified a project plan to ensure POPI compliance by 1 July 2021?
The Regulations Relating to the Protection of Personal Information stipulate that an Information Officer must, in addition to the responsibilities referred to in Section 55(1) of the Act, ensure that a compliance framework is developed, implemented, monitored and maintained.
For ease of reference we have set out a full list of the duties below, as stipulated in Section 55 of the POPI Act and the Regulations Relating to the Protection of Personal Information.
Section 55 of the POPI Act
1. An Information Officer’s responsibilities include
- the encouragement of compliance, by the body (e.g. your FSP), with the conditions for the lawful processing of personal information;
- dealing with requests made to the body pursuant to this Act;
- working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body;
otherwise ensuring compliance by the body with the provisions of this Act; and
- as may be prescribed.
2. Officers must take up their duties in terms of this Act only after the responsible party has registered them with the Regulator.
Section 4 of the Regulations Relating to the Protection of Personal Information
1. An Information Officer must, in addition to the responsibilities referred to in section 55(1) of the Act, ensure that-
- a compliance framework is developed, implemented, monitored and maintained
- a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- a manual is developed, monitored, maintained and made available as prescribed in Sections 14 and 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);
- internal measures are developed together with adequate systems to process requests for information or access thereto; and
- internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.
It confirms that the business processes personal information in accordance with the conditions for lawful processing of personal information as stipulated in the POPI Act. It is also a useful client discussion document, to inform them of the types of personal information your business processes and who you are sharing it with.
Have all your employees, including all levels of management, received training and awareness on the POPI Act and data privacy?
This will assist with gaining a broader understanding of the POPI Act, its requirements and impact on the business. As mentioned in activity 2 above, the Regulations Relating to the POPI stipulate that an Information Officer must, in addition to the responsibilities referred to in Section 55(1) of the POPI Act, ensure that internal awareness sessions are conducted regarding the provisions of the POPI Act.
If you have not yet done so, it is useful to create a data inventory list which identifies the types of personal information you collect, process and store e.g., name, surname, address, ID number, utility bill, bank details etc.
If a data breach occurs, a data inventory list will allow the business to easily identify what information was compromised. It also provides the business with an opportunity to assess the personal information already on record. The business can evaluate whether any of its personal information needs to be updated as per Condition 5 in the POPI Act, viz. Information Quality. This Condition refers to the quality of personal information processed, and that the information is accurate, not misleading and updated where necessary.
Have you recorded the data flows (e.g., between systems, between processes, between countries, to and from Third Parties) and related mitigation activities?
This is the first step in the process to identify the flow of personal information in and through your business. Once, a data flow has been recorded, the business is then able to work through each process in order to understand who has access to what information, where this information is transferred to and where it is stored. As a result, the business can identify the gaps and risks in terms of where a possible breach may occur and implement mitigation activities e.g. restricting access to certain personal information through password protection to minimise the gaps and risks. Ultimately completing this exercise is a risk control and risk mitigation strategy to protect, as much as possible, personal information processed by the business.
Has data privacy and POPI Act compliance been integrated into all business policies and processes?
- business continuity plans e.g. if personal information is backed-up in the Cloud, is this secured through password protection (speak to an IT specialist about this),
- direct marketing practices (if applicable) e.g. has your business compared its existing practices to the requirements of the POPI Act to see if this is being lawfully executed. E.g. do all marketing communications provide clients with the option to opt in, or opt-out,
- the organisation’s use of social media e.g. if a testimonial is published on LinkedIn, Twitter or Facebook etc. which references the client’s personal information, was consent obtained for this to be published,
- hiring, managing and monitoring employees or contractors e.g. are the CVs of all unsuccessful applicants immediately destroyed or de-identified once a successful candidate has been selected to fill the position,
- the design of new procedures, system and product development.
Have you developed and maintained technical security measures (e.g. intrusion detection, firewalls, monitoring)?
This is to ensure your systems are not easily hacked by cyber criminals. We recommend speaking to an IT specialist to ensure you are adequately protected in this regard. Or you may consult with the providers of the CRM, or other systems you use e.g. Xplan, atWork, Elite Wealth.
Have you developed and maintained measures to encrypt personal data?
For example, if the personal information of a client is sent to them via email after their annual review meeting, do you ensure that the attachment and email is password protected? We recommend speaking to an IT specialist in this regard. Alternatively, there are ways to use Microsoft Office to assist with this activity.
Have you reviewed all your agreements with all Operators and Third Parties?
If personal information is sent to an Operator or Third Party to process, the POPI Act requires that a responsible party (Information Officer) must, in terms of a written contract between the responsible party and the Operator, ensure that the Operator which processes personal information for the responsible party establishes and maintains the security measures required. Examples of Operators or Third Parties are Product Providers, IT contractors and Accountants. Should a data breach occur with the Operator or Third Party, the onus is on you as the responsible party (Information Officer). In a previous newsletter, we discussed how easily data breaches can occur, which Data Privacy Management practices can be implemented and Professional Indemnity Cover extensions to protect your business in the event of a breach. It is also important to ensure that clients are aware that their information is being processed by an external party.
Have you developed/confirmed procedures to respond to requests for access and correction to personal information?
Section 5 of the POPI Act stipulates that a data subject has the right to request, where necessary, the correction, destruction or deletion of his, her or its personal information.
Have you developed a data privacy incident/breach response plan?
Section 22 of the POPI Act stipulates that where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party (Information Officer) must have an incident/breach response plan, which, amongst other things, include notifying the Regulator; and the data subject.
The activities addressed in the newsletter are some of the key requirements to ensure POPI compliance. As an FSP, you may deal with many clients and as a result sit with a wealth of information. With this being said, the activities mentioned above will require thought and time as they deal with the flow of all of the personal information in the business. If done properly, these activities will help your business highlight where weaknesses in the flow could result in a breach. For more information about how Masthead can assist you with POPI compliance, click here.
It is clear that in order to ensure compliance with the POPI Act and to minimise the risk of a data breach occurring, the business will need to work together as a whole. This is why training and awareness is so important. ‘Educating staff’ was one of the top three privacy programme elements that the respondents from the ITWeb and KnowBe4 online survey have conducted. This way everyone in the business thinks Data Privacy Management, closing the gaps from every angle in the business. To find out more about how you can familiarise yourself with POPI or if you are an Information Officer looking to raise awareness amongst your staff on the importance of POPI compliance, click here.
The purpose of the POPI Act is to give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party. From the examples used in the newsletter, it becomes clear that the POPI Act is principles-based. It requires the business to look at all its processes and constantly ask, does this action, process, policy or procedure protect the personal information in my care? Is this action POPI compliant? Do I really need this personal information or am I creating an unnecessary privacy risk to my clients and employees? Even though it may require more effort in terms of implementation, if implemented correctly everyone involved is protected. POPI Act compliance and thinking Data Privacy Management may protect your business from a fine or an employee from imprisonment. For assistance on becoming compliant with the POPI provisions, click here.
In a previous newsletter we mentioned that penalties for offences in the POPI Act are either fines or imprisonment. Given that the business cannot go to jail, someone will be held liable. Who that person is, is dependent on the court’s determination. It should be viewed as an opportunity to demonstrate how as a business you always act in the client’s best interest, ensuring that their personal information is always protected. It is also an opportunity to show your employees that you act in their best interests by educating them, giving them an opportunity to understand the importance of following the correct processes, of encouraging them to speak up when there is a weakness in a system, and/or when they receive suspicious emails or telephone requests.
Click here to read more about the necessary security measures needed to mitigate cybercrime.