âBy failing to prepare you are preparing to failâ (Benjamin Franklin)
The media is awash with warnings about the dangers of not complying with POPIA (the Protection of Personal Information Act) by 1 July 2021, and indeed the risks of non-compliance are substantial.
The clock is ticking âŠ. if anyone in your business needs to be motivated to take this seriously, refer them to the Countdown Clock on the Information Regulatorâs website.
Although you still have until the end of June 2021 to become fully compliant, there are major benefits to understanding POPIA and starting the compliance process now – before it becomes compulsory. The penalties for getting it wrong are sizeable, âpreparation makes perfectâ, you are giving yourself time to get it right, and for many businesses there is also good marketing potential in being able to tell your customers and clients that you are already addressing the situation.
Five practical steps to start withâŠ
Before we start on your action plan, get to grips with the fact that you will almost certainly have to comply fully with POPIA. As soon as you in any way âprocessâ (collect, use, manage, store, share, destroy and the like) any personal information relating to a âdata subjectâ (customers, members, employees and so on), you are a âresponsible partyâ. Very few businesses will fall outside that net. Equally you are unlikely to fall under exemptions like that applying to information processed âin the course of a purely personal or household activityâ. Get going with these steps –
- Information Officer: Identify an âInformation Officerâ who will be responsible (and liable) for all compliance duties, working with the Regulator, establishing procedures, and training your team in awareness and compliance. You are automatically your businessâ Information Officer if you are its âHeadâ i.e. a sole trader, any partner in a partnership, or (in respect of a âjuristic personâ such as a company) the CEO, MD or âequivalent officerâ. You, your partnership or your company can âduly authoriseâ another person in the business (management level or above) to act as Information Officer and you can designate one or more employees (again management level or above) as âDeputy Information Officersâ. You will need to register both Information Officers and Deputy Information Officers with the Regulator, which (at date of writing) says on its website that it is experiencing a technical glitch with its online registration portal but is working to resolve the issue â otherwise download the manual Registration Form here.Â
- Assess what personal information you hold, how you hold it, and why: Figure out what personal information you currently hold, how you hold it, and why you hold it. To collect and âprocessâ such information lawfully you need to be able to show that you are acting lawfully, reasonably in a manner that doesnât infringe the data subjectâs privacy, and safely. Â
You must show that âgiven the purpose for which it is processed, it is adequate, relevant and not excessiveâ, data can only be collected for a specific purpose related to your business activities and can only be retained so long as you legitimately need to or are allowed to keep it. Â
Thereâs a lot more detail in POPIA, but you get the picture â you cannot collect or hold personal information without good and lawful cause. - Check security measures, know what to do about breaches: You must âsecure the integrity and confidentiality of personal information in [your] possession or under [your] control by taking appropriate, reasonable technical and organisational measures to prevent ⊠loss of, damage to or unauthorised destruction of personal information ⊠and unlawful access to or processing of personal information.â You are going to have big problems if there is any form of breach from a risk that is âreasonably foreseeableâ unless you can prove that you took steps to âestablish and maintain appropriate safeguardsâ against those risks. Bear in mind that whilst cyber-attacks tend to get the most media time, there are also other risks out there â brainstorm with your team all possible vulnerabilities and patch them. Â
Any actual or suspected breaches (called âsecurity compromisesâ in POPIA) must be reported âas soon as reasonably possibleâ to both the Information Regulator and the data subject/s involved.Â
If third parties (âoperatorsâ) hold or process any personal information for you, they must act with your authority, treat the information as confidential, and have in place all the above security measures. - Check if you do any direct marketing: Most businesses donât think of themselves as doing any âdirect marketingâ, but the definition is wide and includes âany approachâ to a data subject âfor the direct or indirect purpose of ⊠promoting or offering to supply, in the ordinary course of business, any goods or services to the data subjectâŠâ. So for example just emailing or WhatsApping your customers about a new product or a special offer will put you firmly into that net.
If your approach is by means of âany form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mailâ, you must observe strict limits. Whilst you can as a general proposition market existing customers in respect of âsimilar products or servicesâ (there are limits and recipients must be able to âopt-outâ at any stage), potential new customers can only be marketed with their consent, i.e. on an âopt-inâ basis. - Get a start on procedures and training: Cover how you will collect the data, process it, store it, for how long, for what purpose/s and so on. What consent forms do you need and when/how are they to be completed and stored? Â
You are much less likely to have a POPIA problem if everyone in your business (and most importantly you!) understands what your procedures are and implements them as a matter of course. Make sure that no functions âfall between two stoolsâ â assign individual compliance tasks to named staff members and make sure everyone understands who is to do what.
This is a complex topic and there is no substitute for tailored professional advice. What is set out above is of necessity no more than a simplified summary of a few practical highlights.
Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.
© CA(SA)DotNews