Written by Karus Prinsloo, 30 June 2020
1 July 2020: the effective date for the bulk of POPIA’s requirements. POPIA provides for a window period of one year in order for organisations to comply with POPIA’s obligations.
POPIA gives effect to the constitutional right to privacy. It is based on international best practice and reflects some of the best features of international privacy legislation. The protection of personal information is now a statutory duty; POPIA represents sound business practice… and brings opportunity for your organisation!
Areas of business impacted by POPIA
Although all businesses differ, the biggest impact is generally in the following areas of business:
Potential risks to business
Non-compliance poses a huge reputational risk, financial risk (administrative fines of up to R10 million!) and operational risk (such as spending operational time to reactively align business processes, documents and systems with the legal requirements).
POPIA has claws! Over and above the administrative fines, POPIA provides for civil claims (including class actions) and certain offences with imprisonment of up to ten years.
POPIA is here – what now?
Assess the impact of POPIA’s requirements on your organisation. It will be necessary to change certain business processes, policies and documentation, as well as to align IT systems with POPIA’s requirements. Below are 10 focus points to consider whilst preparing for POPIA, which became effective 1 July 2020 and must be adhered to by 30 June 2021:
A phased approach is important! Identify POPIA’s impact on your organisation, who is responsible for what and by when, to ensure compliance with POPIA.
Relook the organisation’s compliance with the Promotion of Access to Information Act (“PAIA”), while working on POPIA readiness.
Who in the organisation should take the lead with regard to ensuring readiness? Allocate responsibility to a line function or individual who can co-ordinate the organisation’s POPIA readiness drive.
POPIA provides for roles of “data subject”, “responsible party” and “operator”. Identify these role players for all instances of processing of personal information.
Identify the circumstances when “special personal information”, as defined by POPIA, is processed. Ensure that such processing comply with the requirements relating to special personal information.
Address the requirements relating to direct marketing, trans-border information flows and automated processing of information.
Prior to developing POPIA specific policies and contracts, ascertain what is currently in place. Obtain advice about the adequacy of POPIA provisions in policies and agreements, prior to developing a “POPIA policy”. It is quite often not required to amend existing contracts.
Processing of personal information is not only about electronic processing. Remember to include the processing of personal information from physical documents in the scope of readiness assessments.
Take the circumstances when POPIA is not applicable into account.
Intentionally identify and pursue opportunities which POPIA opens for your organisation. Opportunity could knock in terms of new products and services, or by positioning the organisation as a responsible corporate citizen.
Establish under which circumstances consent should be obtained. Identify quick wins. Chances are that the organisation has an asset register for the physical assets it holds; consider developing an information asset register (with fields such as who uses information for what, and the like). These factors will be explored further in future articles.
Contact us at firstname.lastname@example.org for assistance with regard to your POPIA requirements. Make sure not to miss our August Information Sharing with Karus Prinsloo. For more information please click here.