In 2013, the Protection of Personal Information Act No. 4 of 2013 (the POPI Act), was signed into law. It did not take full effect at the time, however, on 22 June 2020 the President issued a proclamation regarding the commencement of certain sections of the POPI Act which are set to take effect on 1 July 2021. In a recent interview between Michalsons attorneys and the Information Regulator, when asked if there would be an extension to the deadline past 1 July 2021 they confirmed, ‘It’s going to be an empathetic no’.
With this deadline quickly approaching, businesses are facing pressure to ensure compliance with the POPI Act before the deadline. Non-compliance with this deadline could result in the possibility of steep fines or imprisonment for businesses and/or individuals. Ultimately the impact on the business could be a potential loss of trust from clients, affecting client retention and growth as well as business profitability and sustainability. As a result, when given the choice to comply with the POPI Act or not, we strongly encourage businesses to comply.
With this being said, you may be wondering:
- Am I confident that my business will be compliant with all the requirements in the POPI Act by 1 July 2021, or do I need assistance in this regard?
- Am I aware of all the personal information being processed and subsequent risks in my business?
- Based on implementation of the relevant business processes as well as security safeguards required to jointly mitigate the risk of a breach, can I confidently reassure my clients that I have done everything reasonably possible to protect their personal information?
In this newsletter we look at the 10 steps you can take on your journey to becoming POPI compliant by 1 July 2021.
1. Create a formal compliance project timeline in order to comply with the POPI Act
This project should include the activities necessary to achieve compliance with the POPI Act (e.g. formally confirming who will act as the Information Officer). Each activity should be assigned to a responsible party who is accountable for its completion. Further to this, a completion date should be assigned to each activity, keeping the deadline of 1 July 2021 in mind. As a result, we encourage you to carefully consider your capacity in terms of resources, such as time, when implementing this project timeline. For effective implementation in terms of ensuring that the project is executed successfully, it is worthwhile to assign a project manager. This person can then monitor the progress of the compliance project and implement remedial actions where necessary to ensure the business is on track to achieving compliance with the POPI Act.
2. Confirm the Information Officer
The role of the Information Officer is automatically designated as defined in both the POPI Act and the Promotion of Access to Information Act, 2 of 2000 (PAIA). In the case of a public body, the Information Officer is the the Director-General, head, executive director or equivalent officer or the person who is acting as such. In the case of a private body, the head is the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer as defined in PAIA. The duties of the Information Officer are stipulated in Section 55 of the POPI Act and Section 4 of the Regulations relating to the POPI Act, dated 14 December 2018 and include responsibilities such as encouraging compliance with the conditions for lawful processing of personal information in the business.
The Information Regulator understands that the Information Officer (e.g. CEO or Managing Director) has additional duties to fulfil in terms of their existing role in the business. They have therefore made provision for this by allowing for the Information Officer to designate and delegate responsibilities to as many Deputy Information Officers as necessary to perform the duties stipulated in Section 55 and the Regulations. What is important to note, however, is that even though Deputy Information Officers may assist the Information Officer in performing their duties, accountability in terms of non-compliance still remains with the Information Officer. As a result, the Information Regulator suggests that when Deputy Information Officers are appointed, the business identifies people who are used to having responsibilities. In other words, people who can be relied on to execute these duties. This is critical because penalties for offences in the POPI Act are either fines or imprisonment, and given that the business cannot go to jail, someone will be held liable. Who that person is, is dependent on the court’s determination.
Once an Information Officer is confirmed and/or Deputy Information Officers are appointed, it is important to ensure that they are formally registered with the Information Regulator. A list of responsibilities should also be created for both the Information Officer and Deputy Information Officers taking into account the requirements as stipulated in the POPI Act and Regulations previously mentioned. These should be formally documented and agreed upon by the relevant stakeholders involved.
3. Conduct a POPI Act GAP Analysis and develop the required Compliance Framework
This means that the business should establish and identify clear activities relating to specific duties regarding compliance with the POPI Act e.g. registering your Information Officer with the Information Regulator once their online system is available. The responsible parties involved in ensuring compliance with the POPI Act should be communicating with relevant stakeholders in order to regularly monitor progress in terms of the POPI compliance project. If you have assigned a project manager, that person can do it. Otherwise the Information Officer or Deputy Information Officer needs to constantly communicate with the relevant stakeholders involved with the implementation to ensure compliance in the business and meeting their regulatory obligations.
Once an activity is completed, the business should formally document evidence thereof. This may prove to be useful should the Information Regulator or any person question the business on a particular POPI related requirement. Further to this, Section 4 of the Regulations, as referred to above, stipulates that an Information Officer must ensure that a compliance framework is developed, implemented, monitored and maintained. The GAP Analysis serves as the compliance framework and should be updated on a continuous basis and used to keep track of the business’ progress towards compliance with the POPI Act.
4. Identify and assess the different types of personal information in the business and how it is processed
The POPI Act (in Section 1) provides a broad definition of personal information and it is important to take this into consideration when performing this step. Ensure that when your business processes personal information it is aligned with the eight conditions for lawful processing of personal information contained in Chapter 3 of the POPI Act, viz. (1) Accountability, (2) Processing limitation, (3) Purpose specification, (4) Further processing limitation, (5) Information quality, (6) Openness, (7) Security Safeguards and (8) Data subject participation.
Be mindful of who has access rights to the personal information processed and how this is managed. Ensure measures are put in place to prevent unauthorised access to the data subject’s personal information e.g. requiring two-step verification before being able to access personal information, encryption or password protection. This will require the business to identify and carefully think about how it stores personal information. A risk assessment should be done to determine the vulnerabilities of storing information on certain devices and systems. When old hardware is replaced, does the business ensure that data is properly removed? When data is stored in the Cloud, how do you protect it against unauthorised access?
5. Develop and implement policies relating to POPI Act compliance
In order to ensure effective compliance with the POPI Act, the business needs to consider practices which relate to effective Data Privacy Management. In other words, how to embed good practice into every single policy and process and how to ensure that everyone in the business understands their responsibility to ensure that clients’ personal information is protected. This means that existing policies e.g. Job Descriptions or Performance Contracts, should be reviewed to ensure the incorporation of the POPI Act requirements. For example, including a clause requiring POPI training, awareness and adherence to the adjusted internal procedures and requirements. Further to this, the business should develop a Privacy Policy Statement that should be communicated to all relevant stakeholders. This will help stakeholders understand what personal information is processed, how that personal information is processed and how it is protected by your business.
6. Revisit your website
Identify what you wish to review on your website, should you have one. Look at what may have been impacted by the POPI Act and what would need to be changed and/or updated, e.g. does your website tell users what personal information is being collected and why. Ensure that the business has a cookie policy with a pop-up notification on the website which meets the POPI Act’s requirement to ensure that when personal information is collected, it is done with informed consent and is duly protected. The POPI Act defines electronic communication as any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient. Therefore, if cookies are used for direct marketing in your business, then Section 69 of the POPI Act is applicable. Section 69 requires consent from the data subject when processing their personal information for the purpose of direct marketing by means of any form of electronic communication. Further to this, it is important to note that the POPI Act is a principles-based Act. Therefore, the principle of protecting personal information still applies even if something such as a cookie policy is not specifically mentioned.
7. Create a PAIA manual or update your existing one
Section 17 of the POPI Act requires the responsible party to maintain the documentation of all processing operations under its responsibility as referred to in Sections 14 or 51 of PAIA, which aims to promote transparency, accountability and effective governance of all public and private bodies and these two sections refer specifically to the PAIA manual. The PAIA manual allows individuals whose personal information had been processed by a particular business, to understand how to access the records of this personal information held by the business. As a business you will also be able to determine what records are being kept as the manual needs to contain descriptions of the records which are available. It is an opportunity for the business to determine whether there are certain records which it is no longer authorised to retain as it will contravene Section 14 of the POPI Act (Retention and restriction of records).
Should you have an existing PAIA manual in place, it is worthwhile to review this against the requirements in PAIA and make amendments where necessary. Ensure that the manual follows the prescribed layout and that it includes the necessary requirements as per PAIA.
Masthead is able to assist with reviewing the PAIA manual. Contact us for more info >
8. Implement processes to ensure POPI Act compliance to manage personal information
To do this, your business needs to create a compliance framework, as mentioned in Step 3 above, as required in the responsibilities of the Information Officer. We recommend that the compliance framework takes into account the lifecycle of personal information processed by the business. This lifecycle starts from when the personal information is collected right until the point at which it is destroyed. As processing of personal information is at the heart of your business, it means that those processes which ensure ongoing Data Privacy Management and as a result, POPI Act compliance, should constantly be reviewed, rather than seen as a once off implementation event. This means for example, regularly testing the business’ technical security measures (e.g. firewalls or antivirus) to see if it still works versus implementing technical security measures once and not monitoring their performance regularly, or not providing ongoing training and awareness to staff members as business processes and their Job Descriptions change. For the business to measure ongoing compliance, it can conduct internal POPI compliance assessments, or it can obtain a formal external review and input from an independent Third Party. The results of either of the options mentioned above could be displayed on a dashboard to highlight the business’ progress and where processes need to be improved or need to be created. e.g. the business noticed that even though there are contracts in place with Third Parties, e.g. contractors who process personal information, the business does not have a process to ensure that these contractors adhere to the security measures stipulated in the agreement e.g. encrypting the information. This can then be highlighted in weekly meeting reports and a process can be created.
Masthead is able to assist with reviewing of Third-Party Agreements. Contact us for more info >
9. Train employees and relevant stakeholders on their POPI Act compliance roles and responsibilities
Employees should be trained on the specific requirements relevant to the business e.g. employees who deal with direct marketing should be educated on the specific requirements linked to that area in more detail. E.g. ensuring they obtain the client’s consent before processing the client’s personal information for the purpose of direct marketing by means of any form of electronic communication. Those who respond to queries via email can be trained on how to encrypt or password-protect attachments. Training should be ongoing and include updated requirements or new regulations, guidelines or notices published by the Information Regulator. Training may even include what is considered a breach e.g. sending an email that contains personal information to the wrong client. Further to this, it may include awareness training of the internal business process which must be followed in the event of a breach e.g. an employee would need to inform their line manager, who in turn will inform the Information Officer, at which time the formalised process will be followed e.g. notifying the data subject and the Information Regulator. Knowing how to respond may contain the breach quicker. The training can take place in various ways e.g. self-study, online training or face-to-face. POPI training is critically important as breaches are most likely to occur in the day-to-day operations of a business. In order to ensure effective ongoing training and awareness it may be useful to provide additional support to specific roles which need to ensure ongoing training and awareness takes place e.g. the Information Officer and Deputy Information Officers.
Masthead offers a variety of POPI training and awareness sessions. Find out more >
10. Include POPI Act compliance as part of your ‘Business-As-Usual’
Once the POPI Act takes effect on 1 July 2021 it will be here to stay. As a result, businesses should incorporate this into its day-to-day business operations. When new business products, services or processes are designed they should be done in a way that bears the POPI Act requirements in mind. As mentioned in Step 8, once you have implemented processes that support compliance with the POPI Act, it is important to remember that it’s not a once-off activity. The business needs to continuously keep up to date with the latest legislation and regulations related to the POPI Act and data protection and update its processes accordingly.
Ultimately, compliance with the POPI Act can be seen in the same light as risk management, which is an ongoing core business activity by identifying new risks, reviewing existing risks regularly and implementing appropriate controls to ensure mitigation measures are implemented accordingly.
We hope that these steps shed light on how to be proactive in terms of meeting the POPI Act deadline of 1 July 2021. While the POPI Act and its accompanying regulations may seem daunting, it is about protecting your clients and your business in order to ensure long-term sustainability.
Even though we listed 10 steps to take on your POPI compliance journey, POPI compliance should not be approached as a checklist. The POPI Act is principle-based, which supports the approach by the regulators through legislation like the Financial Sector Regulation Act and the draft COFI Bill. The outcome is about treating the client fairly. As a result, we encourage you to keep this in mind and incorporate business practices which can help you achieve this. It will not be a one-time activity – it is continuous.
At Masthead we offer various POPI Compliance solutions including:
- POPI Training – which includes a webinar and an online course.
- POPI Implementation – which includes assistance with full POPI implementation throughout your business, and,
- A DIY POPI Compliance Toolkit to guide you on your implementation journey.
Click here to read more about our solutions or contact your Compliance Officer for more information.