In order to create awareness on POPI, it is important to start by understanding why your business should protect personal information. Processing of personal information should be approached with a choice of either protecting processing of personal information or the free flow of such information.
Who are your data subjects?
The data subject is the person whose personal information is being processed. It is important that in preparing for POPI, it is established who the data subjects are in your business. It is not merely your customers, but it can also be your employees, vendors, shareholders, prospective customers or contractual parties. It must then be established that these categories of persons all form part of your data subjects.
The personal and special personal information of these persons must be identified and distinguished. Personal information is information relating to an identifiable, living natural person.
Who is the responsible party?
Once the data subjects have been identified, you will need to decide who the responsible party in your business will be. The responsible party is the person/s who will determine the purpose and means for processing personal information. This will in most cases be the Key Individual who oversees the operations and strategies of the business.
The responsibilities of the responsible party
The responsible party must ensure that the business is: responsible with processing personal information, that processing is limited to cases of consent, specifies purpose of processing, limits further processing, ensures that quality information is being processed, communicate with customers (or other data subjects) what is being done with their information, ensure information security and to allow the data subject to access their information upon request.
It is evident that the responsible party will hold responsibility. The responsibilities especially relate to gaining consent from data subjects themselves. The retention period and register will also be the responsibility of the responsible person. This will entail ensuring that irrelevant information is not kept and that the information being kept is correct and accurate. The most important aspect is that of information security. The test which will be used to ensure that sufficient methods are used is: whether the security methods are ‘reasonable and necessary’. If there is a breach of personal information, the Regulator will determine if the information security system used was indeed reasonable and necessary.
Who are the Operators in your business?
Lastly, it must be determined who the Operators in your business are. An operator is someone who processes personal information on behalf of the responsible party in terms of a contract or mandate, but without being under the direct authority of the responsible party. Make a list of operators that are linked to your business and review your Service Level Agreements (SLA) / contracts with them. POPI clauses are to be included in all SLAs with operators or a POPI addendum must be added to existing SLAs. This is to ensure that the operator handling your businesses’ personal information on your behalf exercises the necessary care as the responsible party will still be held accountable. Request the operator to monitor their in-house methods and then report back to the responsible party. This is very important to secure integrity with the Act- as this will be part of the ‘test’ of determining if you are compliant.
These are the first important steps which we encourage you to take as part of the creating awareness phase of POPI.