The Review phase is the final phase and forms the last issue of the ‘Preparing for POPI’ series. This is a recap of the series to summarise the process.
Review should not be seen as a last step, but should be a continuing process to ensure that compliance is regularly monitored. Being POPI Compliant will be a continuous process and therefore should receive the required focus and resources.
The first phase was that of creating Awareness. This entails understanding your business and how POPI will practically affect it. It will also help to determine which other laws refer to the protection of information and any prescribed period for retention of documents.
There must be an understanding of how the business interacts with its data subjects. It is not merely customers, but also employees, vendors, shareholders, prospective customers or contractual parties. It must then be established that these categories of persons all form part of your data subjects. The personal and special personal information of these persons must be identified and distinguished.
It must be determined who the Operators in your business are. An operator is someone who processes personal information on behalf of the responsible party in terms of a contract or mandate, but without being under the direct authority of the responsible party. POPI clauses are to be included in all SLAs with operators or a POPI addendum must be added to existing SLAs to ensure that the operator handling your businesses’ personal information on your behalf exercises the necessary care.
The second phase is the Planning phase to ensure that everybody in the business is prepared and on board with the developments which POPI will bring. Part of this is to make sure that your business has appropriate processes and governance structures in place so that the requirements of POPI can easily be implemented. This means looking at your business and its existing procedures and using a three step plan to assess, analyse and define solutions in line with POPI.
The third phase is that of Implementation. This phase will consist of Communication and Consultation. This can be done by defining the context of the organisation’s POPI framework, formulating a POPI policy, embedding processes into practice, assigning resources and determining responsibility.
Please refer to the previous issue on ideas for implementing POPI.
The final phase of Review is to check that the processes, procedures and solutions which you have decided on have been correctly implemented and are achieving the desired results. The amended documents and systems aimed at protecting personal information must be continuously monitored and audited to ensure compliance.
To ensure that your operators are compliant, the onus is on the business to audit and review the processes of the operators to ensure that they are meeting the requirements of POPI. The key individual of the FSP is the party responsible to ensure that the business protects information of its customers and other identified data subjects.
It is also imperative that the business sets up processes and systems to ensure continuous compliance that can be easily measured.