POPIA COMPLIANCE – WHO IS YOUR LAST MAN STANDING?

If you had your industry scouting ducks in a row, you would be aware by now that new provisions for POPIA (The Protection of Personal Information Act, 2013 ) came into effect on 01 July 2020 with a looming deadline of compliance; set for 01 July 2021 – Yikes!!!

Can you get around it….well, NO is the short answer, as pretty much every business will be affected by the provisions contained in the gazette pertaining to the obligations x upon businesses to get their house in order as to comply with the requirements of processing personal information lawfully and conducting ethical oversight at all times

Now to start off with, a few curve balls have been thrown from the match courts of the Information Regulator concerning the accountability and actions required to be taken by responsible parties in each enterprise.

One of these is the appointment of an Information Officer and/or Deputy Information Officer, who would effectively be the last man (or woman standing) responsible for and enabling the accomplishment of specific outcomes as indicated in sections 55 and 56 of POPIA, as well as Regulation 4.

FYI – The Information Officer

Did you know? The CEO, MD or Highest Ranking Official at an organization is automatically deemed as the Information Officer….a challenging feat when considering what these executives have to deal with to satisfy profit expectations from shareholders.

Hence, a concerted effort is needed to appoint and register another individual to assume responsibility of POPIA or at least a Deputy Information Officer to alleviate the operational and logistical pressures posed onto the CEO/MD in terms of the journey to POPIA Utopia, aka lawful compliance.

Registration Logistics

Any journey starts with the first step: in this case the registration of the Information Officer and/or Deputy Information Officer with the Information Regulator.  This is one of the most important steps that must be taken, as this is the vital impending “deadline” imposed in respect of POPIA. 

Responsible parties should commence registering their Information Officer and/or Deputy Information Officers with the Information Regulator on 1 May 2021 via an online portal which was finalised by the end of April. If online is not your thing, there is a manual option available as well.

Purposeful, Accountable, Responsible

With the above registration logistics covered, let’s review a few crucial aspects regarding the purpose of the Information Officer, who is the designated individual tasked with facilitating and ensuring compliance by the responsible party (company) in terms of POPIA.

Apart from POPIA, the Information Officer is also liable to ensure that the Promotion of Access to Information Act 2 of 2000 (“PAIA”) requirements of PAIA is upheld. (sounds like a job for someone like POPEYE by the looks of things!)

Therefore, apart from consuming copious amounts of “legal spinach” to comprehend the legalities of POPIA and PAIA, the primary responsibilities of the Information Officer are:

For POPIA, as stipulated by Section 55, these include:

•        the encouragement of compliance, by his or her organisation, with the conditions for the lawful processing of personal information

•        dealing with requests made to the organisation arising from this Act

•        working with the Regulator in relation to investigations conducted according to processing which requires prior authorisation by the organisation

•        ensuring compliance by his or organisation with the provisions of the Act

For PAIA Regulation 4, required activities are:

  • Ensuring that a compliance framework is developed, implemented, monitored, and maintained
  • Driving the personal impact assessment to make sure that adequate measures and standards exist in order to comply with the eight conditions for lawful processing;
  • Responsible for PAIA Manual development, and then accountable for it being monitored, maintained, and made available as prescribed in terms of the provisions of PAIA;
  • Establishing adequate internal measures that are developed together with systems to process the requests for access to information by data subjects;
  • Assuring that internal awareness sessions are conducted regarding the Act’s provisions, the Regulations, codes of conduct, or information obtained from the Regulator.

A Looooooong list of to-do’s

So, what do you need to do to achieve compliance apart from appointing and registering your Information Officer (STEP 1)

Well, STEP 2 of your compliance journey is for the Information Officer and/or Deputy Information Officer to assume responsibility and execute their duties for sections 55, 56, and regulation 4. A daunting challenge on the best of days, but critical to ensuring that the t’s are crossed, and I’s dotted regarding every aspect of the Act

Now for the To-Do List:

In the Know – Training

Staff awareness initiatives need to be actioned to impart technical knowledge about POPIA, its provisions, and the effects on the manner in which a responsible party (company) handles personal information.

These may be executed via internal training and awareness sessions (eLearning, Face to Face, Webinars, Self-Study Materials) that should cover the provisions of the Act, the regulations in terms of the Act, codes of conduct, or other information obtained from the Information Regulator.

A Roadmap – Develop a PAIA Manual

The Information Officer/Deputy Information Officer must ensure that the outline, development, publishing, and maintenance of updates are executed in terms of Section 51 of the Promotion of Access to Information Act (PAIA). 

Ground Rules – Develop a Privacy Policy and Terms & Conditions

For data protection compliance to be effective and lawful, a responsible party’s data protection compliance starts with procuring comprehensive consent (if necessary) and ensuring that your organisation has adequate terms and conditions (when and where they are needed) as well as a privacy policy in place.

Give it structure – Develop and Implement a Compliance Framework

Your compliance framework is the glue that holds everything together, even though it is not defined by the Act or specified in the regulations. The development and deployment of an adequate compliance framework remains a work in progress and encompasses collecting documents and policies that regulate a responsible party’s data processing systems.  (More on this in one of our upcoming articles)

Delegate

As the assigned Information Officer, you are permitted to transfer/delegate part or all of your responsibilities (as set forth in the relevant provisions of PAIA and POPIA), to other individuals within the organisation.

Granted, that they are assigned and registered as Deputy Information Officers with the Information Regulator. Take note, however, that the buck still stops with you regardless of tasks and responsibilities being executed by other key individuals of the responsible party.

SOS For Help

eSTUDY, in partnership with legal services provider Weavind Online, has developed a range of short but comprehensive courses on POPIA. These courses cover what each and every employee needs to know and what your Marketing, Legal, Finance, HR, and IT departments must do to comply with the Act.

Our courses are fully accredited, allowing you to claim on your Workplace Skills Plan (WSP), Annual Training Report (ATR), and Black Economic Empowerment (BEE) Scorecard.

Contact eSTUDY today to initiate your POPIA compliance efforts.

Recommended Posts