The compliance cat is out the bag – Now What?

July 2021 is around the corner, so, understandably, ‘’freak-out-mode’’ could be at the order of the day for some responsible parties (companies).

Avoid grabbing onto the first solution offering that promises quick results to get you compliant….there is no quick fix to the compliance dilemma.

At eStudy, we pride ourselves on offering granular long-term advice with practical applications to assist you in the compliance journey, not just for the July deadline but also way beyond that.  

Should Have, Would Have – Prior Authorisation

If your organization is processing or intend to process personal information as per the conditions and definitions constituting data, according to the POPIA and PAIA Act, an application for prior authorisation should be made with the Information regulator

How: by completing and submitting an application form for prior authorisation to the Information Regulator.

For what:  An application for prior authorisation does not have to be submitted for personal information that was processed prior to 1 July 2021. Although, applications must be made for any further processing that occurs after 1 July 2021. 

Please take note: Subsequent to an application submission, no further information may be processed by the responsible party (company) until such a time that the Regulator has completed its investigation or provided a notice that an in-depth investigation is not required (Obviously, you want to cross fingers for the latter outcome).

The waiting game: The Regulator aims to notify the responsible party within four weeks regarding the outcome of their submission and whether an in-depth investigation will be undertaken, upon which they have a further 13 weeks to schedule a date for the detailed investigation.

Not a compliant participant yet?

The choice is yours….NOT! If you fail to submit an application or carry on processing data during the waiting period, hefty fines and even time in the ‘’slammer” for up to 12 months even!

At The End Of The Line – Deadlines Are Here

The Protection of Personal Information Act, 2013 (POPIA) will be enforced as of

1 July 2020, and responsible parties (companies) have unfortunately taken up the “ostrich maneuver” regarding getting their ducks in a row, with a “we’ll cross that bridge when the time comes”.

Well, the next deadline is 30 June 2021, and those implicated by the Act are now well and truly confronted with this proverbial bridge. The clock is ticking with Section 114 of the Act stipulating that compliance should be established by this date.

Fortunately, no need for despair. Even though time is limited, eStudy is here to offer advice and support in your journey to D-Day.

Big Brother is Watching – The Ins-And-Outs

The Information Regulator, which was established in terms of section 39 of POPIA, is an independent body and is empowered to monitor and enforce compliance with POPIA by responsible parties. 

Its mandate is as follows:

“Ensuring the protection and promotion of access to information…we have chosen this as our tag line because this is exactly what we have been set up to do. We intend to ensure that the mention of the word “information” is associated with the Information Regulator” – Adv. Pansy Tlakula, the Chairperson of the Information Regulator,

Outlines of the powers, imposed conditions, and jurisdictions of the Regulator can be found on its website, as well as news, updates, codes of conduct, and guidance statements.


A Short History Lesson

A few security events where the Information Regulator stepped in recently were:

  • 03 April 2020 – The Covid-19 pandemic had the Information Regulator step in and address issues regarding the processing of personal information in respect of right to privacy and right to access that should be carefully balanced as explained in their Guidance Notes.
  • 20 August 2020 – They informed the public about the Experian Security Breach where 24 million South Africans had their personal information compromised
  • 13 January 2021 – The Information Regulator announced its intention to assess the revised Whatsapp Privacy Policy following the social media outcry by the South African public voicing their concerns over privacy issues with the new Facebook/Whatsapp integration and amended security policy.

Call To Action – Compliance Project 101

The Act requires all responsible parties to establish a Compliance Framework for POPIA.

At eStudy, we would assist you with the seven action items to kickstart your Compliance Framework Project:

1.       Assembling a project team

2.       Conduct an information governance (IG) maturity assessment

3.       Develop a high-level project plan

4.       Establish a budget

5.       Do a preliminary investigation

6.       Assess your current policies

7.       Draft your POPIA Compliance Framework

Framing It All

It’s also important to review your current policies and to draft a POPIA Compliance Framework.

What should be included in your framework?

  • DEFINE – the goal, purpose, and principles of your POPIA compliance programme.
  • IDENTIFY – the accountability roles and individual responsibilities within the programme.
  • INCLUDE – a policy development and alignment plan.
  • OUTLINE – a policy implementation and execution strategy.
  • DETAIL – your approach to risk assessments.
  • DESCRIBE – your approach to compliance monitoring.

Contact, Collect, Offer, Store – Ask these questions first!

Financial Services, Insurance, Banking, Direct Marketing Enterprises are often on the chopping block for security breaches, compromising data, or unethical conduct relating to the processing and transacting of personal information.

If your company is in any of these industries, this is for you.

  • What client information do you collect?
  • How are these collected?
  • Where do you store customer information?
  • What staff information do you collect, and where do you store it?
  • What services providers or third parties do you utilize that have access to your customer or employee information?
  • How is direct marketing and soliciting done?
  • Do you sell datasets that contain personal information to third parties?

As one can gather from the above, there is a gigantic opportunity within each of these questions where compliance would fall through the cracks (or gaping holes of inappropriate conduct, for that matter).

What Comes Next?

Enter the professional solutions of eStudy to assist your organisation and affected parties in navigating a successful compliance journey that satisfies all the requirements of the Information Regulator from a legal, operational and ethical perspective.

Recommended Posts