Get your free guide
ESET Southern Africa and privacy experts Michalsons, have produced this guide to examine how the new POPI Act will affect you.
Online compliance check
This site is designed to help you understand the GDPR, quantify the requirements, and offer solutions.
Complying with the POPI Act, step by step
The implications of the POPI Act are complex, so we have broken down the compliance process into three groups of measures that you should consider, subdivided into various areas of more detailed explanation. Just click on the bars in the diagram below to examine these areas at your convenience.
The Protection of Personal Information Act (POPIA) stipulates that organisations must take ‘appropriate, reasonable technical and organisational steps to prevent personal information from being lost, damaged or destroyed, or unlawfully accessed or processed’.
While the POPI Act does not define ‘appropriate, reasonable’ steps, it does mention that international standards and guidelines relevant to protecting privacy should be used. It is therefore necessary to consider the guidelines and precedents set by international data protection legislation such as the Data Protection Act (DPA) of the United Kingdom (UK) and the more recent General Data Protection Regulation (GDPR) of the European Union (EU) that are more prescriptive.
From these International Guidelines, we have determined some specific areas of action to help move you towards achieving compliance with POPIA. A compliance exercise should be outcomes-based and not a tick box exercise.
– Comply with the law following a risk-based approach and by doing what is reasonably practicable.
– Be able to demonstrate what you did to comply.
– Build trust with your stakeholders
– Minimise the risks of non-compliance.
Under POPIA, organsations are required to have a data governance strategy in order to ensure that they reduce the risk of being non-compliant to POPIA which will demonstrate that it takes data governance seriously. Measures that prove that organisations are serious about accountability include amongst others:
Accountability for processing of personal information is held by the Responsible Party and to a lesser extent, the Operator. The responsible party is a public or private body, or any other person which alone, or in conjunction with others decides how and why personal information is being processed, and bears the bulk of the responsibility for complying with POPIA.
The Operator relates to cases where the processing of information has been outsourced to a third party that does not fall under the direct authority of the responsible party. In cases where there is an operator, the responsible party is held accountable for the actions of the operator and they must follow the instructions of the responsible party.
An Information Officer is already a legal requirement for organisations in terms of the Promotion of Access to Information Act (PAIA), however it has become significantly more onerous and complicated under POPIA. The information officer is the head of the organisation as a private body by law, namely the CEO, but this role can (and should) be delegated someone else.
The Information Office is responsible for (amongst other things):
– Encouraging their organisation to comply with POPI’s conditions for lawfully processing personal information
– Handling any requests to their organisation in terms of POPI
– Complying with the Information Regulator in any investigations regarding prior authorisation
– Making sure that their organisation complies with POPI (the information officer’s most onerous responsibility)
– Any other responsibilities that the law may impose.
The information officer holds the most important job of all and risks being held personally responsible if the organisation does not comply with POPIA. It is therefore essential that they get all the possible support and assistance from an organisation in achieving the goal of POPIA compliance.
A data protection impact assessment, also known as a privacy impact assessment (PIA), is intended to identify and minimise non-compliance risks.
A privacy impact assessment is recommended in the context of POPIA, and responsible parties must ensure that a PIA has been run, before it begins, on any “high risk” processing activity.
+Procedural Issues and Awareness
Awareness is the first step for any organisation to take in complying to POPIA. Executive level awareness is imperative as this will filter down to staff that are responsible for processing personal information.
Obligations – The Information Regulator will require that all employees of the organisation who handle and process personally identifiable information are aware of their responsibilities under the act.
Liabilities – The Information Regulator will expect that all employees of the organisation who handle and process personally identifiable information are aware of the civil and criminal liabilities of the act both at an at executive as well as personal level.
Rights – It is important that the organisation adopt a rights driven approach to clients, suppliers and employees. This approach can manifest in a company vision statement.
A Privacy Impact Assessment should be considered at least annually to benchmark the organisation’s compliance posture to POPIA and how the organisation has progressed from previous reviews to meet the required compliance mandates.
Defining a response process to a data privacy breach will allow for the organisation to handle any significant fallout from the breach, most notably to affected data subjects as well as to key business stakeholders. The process will define a notification and impact.
Data classification procedures will ease the burden on the organisation when it relates managing access to information for approved handlers. Additionally, security controls for the data can be proportional with the classification and will allow for a more granular data handling procedures when processing personal information.
The organisation should have defined policies and/or procedures in place that address the requirements to compliance to the principles in the POPI Act.
Regular review of defined data protection policies and procedures will ensure that the organisation maintains a compliance posture that is acceptable to the organisation’s auditors and the Information Regulator.
The organisation should have defined policies and/or procedures in place that address the regular review of data protection of collected personally identifiable information.
POPIA has an expectation that responsible parties and operators understand that they have both a personal as well as professional responsibility for demonstrating compliance the data protection principles outlined in POPIA.
Organisations will need to ensure that the previously defined organisational policies are in place to enforce required standards by regularly monitoring, reviewing and assessing its data processing procedures. Additionally, there will be a requirement to build in safeguards by ensuring staff are trained to understand their obligations, and if required to by the Information Regulator, be ready to demonstrate this understanding.
+Accountability – Training and Awareness
The organisation should ensure that data controllers are suitability trained as to their responsibilities relating to protection of personal information and new employees should be informed as to the requirements for data protection at the organisation.
Furthermore, employees need to be aware of whom to consult when it pertains to concerns about data protection at the organisation, which in most instances would either be their direct line manager or the companies Information Officer.
Finally, the organisation should communicate to employees that policies state that unauthorised access to information is strictly controlled and prohibited.
Should the organisation suffer a data security breach there needs to be suitably defined incident management procedures that will facilitate a collection, analysis and decision on response to the breach should it occur. Breach notifications to the Information Regulator and more importantly an affected data subject form part of an incident response and should be handled efficiently by the Information Officer.
Not reporting a breach is a further contravention of the POPI Act and could lead to stiffer sanctions should a company choose to not notify the Information Regulator or an affected data subject.
+Data Subject Rights
POPI affords data subjects the right to ensure their personal information is processed in a legitimate and appropriate manner with consent being at the forefront of processing limitations. Hence an organisation should clearly define the purpose for which personal information is collected and processed.
Define data subject access request procedures that facilitate a clear communication path between the responsible party (Your organisation) and the data subject (rights holder) to ensure that any information that is held on the data subject can be clearly articulated to the data subject when requested by them.
It has become commonplace for organisations to use technology to automate the profiling of data to analyse and predict what products or services might be relevant to a customer
Using such automated systems for processing of the personal information must always protect the rights of the data subject.
Any data subject’s information that is processed outside of South African borders needs to be done in a region that has an equivalent or better data protection regulation. For example, countries in the EU are subject to the GDPR regulations.
Data subjects need to consent to have their data transferred across borders so an explicit consent notice needs to be drafted and agreed upon by the data subject. This will ensure a responsible party is adhering to data portability requirements in POPI.
Under POPI, an organisation should be able to identify the business reasons for collecting and processing personally identifiable and special personal information. Special personal information has more stringent control requirements than personally identifiable information. Examples of special information are religion, race, demographic and biometric data.
+Information Security (Data Level Measures)
Secure, reasonable and appropriate controls need to be defined and adopted when handling personal information of a data subject. The POPI Act implies that a pragmatic approach be taken when assessing how to comply.
The recommended approach is to assess the most significant risks posed to the information that is being processed and address those in order of severity. POPIA equally allows for a subjective consideration of the resources available to the organisation – a small business could not be expected to implement the same measures as a large enterprise.
The goal is to achieve a state of compliance that is justifiable relative to the rights of the data subject, feasible for the responsible party and consistent with the reasonable and appropriate guidelines of international privacy law.
You should document what personal data you hold, where it came from and with whom you share it.
An organisation should enter into a data classification exercise to define the various types of information it holds on data subjects. This will ensure that under POPI they can examine how they process personal data and identify the security controls to apply to the data i.e. Encryption
Good practice would dictate that organisations will have a monitoring system in place for when records containing personally identifiable information are accessed by authorised employees. An access control system that reports who has access to which information and when they have accessed that information will provide a forensic capability that can be used as a legal evidence in the cases of an investigation.
The access control mechanism will also retain information on consent and have a record of legal consent being given by the data subject for processing of personal data.
Join our POPI webinar
Talk to our experts about how the new General Data Protection Regulation will affect your business. ESET is hosting webinars to explain the issues around the GDPR. These webinars are free to attend: just sign up below and we’ll invite you to the next event.
Nearly 80% of companies are not ready for GDPR
A new survey conducted by independent analysts IDC has found that most European SMBs are unprepared for the GDPR. IDC surveyed IT professionals at more than 700 businesses. It found that understanding of the new regulation remains low.
For more details- and to find out more about the GDPR for yourself – get the full IDC report, courtesy of ESET:
Understanding of GDPR impact
25% none | 52% limited | 22% full