Internal measures and systems that enable POPIA compliance

The Information Regulator, in terms of its authority under section 112(2) of the Protection of Personal Information Act, has made regulations requiring information officers to ensure that internal measures are developed together with adequate systems to process requests for information or access thereto.

Internal measures that can protect the rights of data subjects, include:

Safeguards, for example:

• Documentation of processing operations
• Impact assessments
• Pseudonymisation

Technical and organisational measures, for example:

• Logical access control
• Physical door locks

Mechanisms to ensure the protection of personal data, for example:

• Portal to access personal information
• System component to export personal data
• Compliance management and monitoring system
• Data protection management and data subject engagement portal.

Systems are required that enable data subjects to have the right to have their personal information processed in accordance with the conditions for the lawful processing of personal information, including the right:

to be notified that -

• personal information about him, her or it is being collected as provided for in terms of section 18 [Notification]; or
• his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22 [Notification of security compromise];

to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23 [Access to personal information];

to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24 [Correction];

to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a) [Object at any time];

to object to the processing of his, her or its personal information—

• at any time for purposes of direct marketing in terms of section 11(3)(b) [solicited]; or in terms of section 69(3)(c) ; [i.e. unsolicited, but already a customer]

to not have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1) [unsolicited];

to not be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;

to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and

to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99.

A POPIA compliance management and monitoring system together with online portals for consent management and handling data subject requests are now essential tools of an information officer.