Preparing for POPIA & the GDPR
Authors: Jamie Brandes, Yvonne Lazarowicz, Justin Ridl
“The world’s most valuable resource is no longer oil, but data” ~ the Economist.
In an age where information is more readily available than ever, data protection regulations could not have come at a better time. Dinner table conversation often turns to scams we have found ourselves privy to, or direct marketing schemes that seem to target us scarily specifically.
Organisations dealing in data and data processing, are dealing with a very slippery commodity. Data leaks and breaches occur daily, and the consequences are often far-reaching for the data subject who has fallen victim to inadequate protection.
With the world moving towards greater consumer protection, South Africa has been no exception. The Protection of Personal Information Act (“POPIA”) seeks to set out conditions for the processing of personal information in South Africa. It is South Africa’s sole data protection law, and aims to provide a measure of protection against damage, by protecting the personal information of citizens. The Act is an extension of the constitutional right to privacy; a fundamental human right. But most notably, the Act echoes Europe’s General Data Protection Regulation (the “GDPR”).
What is the POPIA?
The Act identifies various parties in the data processing process, and assigns various rights and obligations to them. Whilst POPIA has not yet been fully implemented, various aspects came into effect in April 2014, these laid the foundation for what will become a stringent framework for data processing in South Africa.
The three main parties identified under the POPIA are:
- The data subject: the person to whom the data relates;
- The responsible party: the person wanting to process the data of the data subject; and
- The operator: a person who will conduct the actual processing.
All personal information of a data subject, processed within South Africa, may only be processed if the data subject consents to the processing. If a data subject refuses to give their consent to the use of the information, a responsible party may not use the information.
Furthermore, organisations falling within the scope of POPIA must appoint an Information Officer: a party responsible for implementing a compliance framework within these organisations, and ensuring that adequate measures and standards are in place to provide conditions for the lawful processing of personal information. Information Officers must also implement a policy or manual which allows for a preliminary assessment of the suitability of security measures, to be followed by the responsible party when processing that particular data subject’s information.
Organisations who suspect the occurrence of data breaches are obliged to contact the Information Regulator immediately, report on the extent of the breach, and notify the data subject that their data has been exposed.
The POPIA essentially tasks responsible parties with just that: responsibility for information they receive and process. How organisations use your data, and to what extent, will be heavily policed both internally and externally, and data subjects are given the reins to determine how their data will be handled. These themes and provisions are nothing new, and like a peer-pressured teen, the POPIA seeks to follow the trendsetters. POPIA seeks to align itself with the GDPR; set to come into force in January 2018.
With organisations at the ready for compliance with the GDPR, and the looming announcement of the implementation of POPIA, setting your organisation up for compliance under the GDPR, means inadvertently setting yourself up for compliance with POPIA.
GDPR and POPIA: A brief comparison
The POPIA and the GDPR are strikingly similar, and both boil down to a few essential characteristics:
1. Organisations must appoint an Information Officer (POPIA) or a Data Protection Officer (GDPR), both of whom will be responsible for organisation, internal education, compliance, policy drafting and implementation, and maintenance of records regarding data processing, within the organisation.
2. Both require policies to be implemented to ensure compliance, and data subjects must be made aware of these policies; and know exactly what, when, where and how their information is being processed.
3. Data subjects need to explicitly consent to the scope and extent of the processing of their information; preferably in writing or some other express manner.
4. Privacy Impact Assessments (GDPR) or Preliminary Assessments (POPIA) need to be undertaken to identify and reduce risks relating to privacy prior to the processing of the data of data subjects.
5. Where a data breach (GDPR) or unauthorised access to personal information (POPIA) occurs, the regulator must be informed as soon as practically possible of the breach, in sufficient detail.
6. Data subjects have extensive rights, including the right to be forgotten (GDPR) and the right to request correction, deletion or destruction of their data (POPIA).
7. A controller (GDPR) or responsible party (POPIA) must ensure that third party processors (GDPR) or operators (POPIA), who process data on behalf of the controller or responsible party, implement sufficient security measures.
The above is not an exhaustive list, but it does give an indication of the similarity between the two sets of regulations.
Preparing for Data Compliance
In terms of the GDPR, organisations within the EU, and some operating outside, who process the data of EU citizens, will have to get their house in order and comply with these regulations by 25 May 2018.
For organisations dealing exclusively with the processing of South African citizens’ data, or those who process data generally within South Africa, the grace period of one year for compliance with POPIA starts running from the commencement date. This date, however, has not yet been proclaimed by the State President. This means that, upon the announcement (whenever that may be) organisations will have just one year to rearrange their policies to align perfectly and comply with the POPIA. Whilst one year may seem a lifetime to some, only the wisest will know: time waits for no data processor.
Given the rise in global business, organisations situated in South Africa may fall within the scope of the GDPR; and vice versa. It’s therefore in your best interests to determine if your organisation falls within this dual scope; and to set things in motion as soon as possible.
The translation of the GDPR compliance models into the POPIA model should be relatively easy and seamless, but organisations are cautioned to note the subtle differences between the two models.
Readying your organisation
A massive part of grappling with your GDPR and POPIA compliance, is collating all your data so that it’s easy to determine what type of data you are holding, for whom, and to what extent you may process this data. The consequences for failing to secure the data of data subjects, under both the POPIA and the GDPR, are immense; and organisations should not only do their best to avoid any data breaches, but must also be able to provide evidence of the security measures in place.
Once you have collected your data, you will need to appoint a Data Protection Officer, or an Information Officer; depending upon whether you are a POPIA or GDPR affected organisation. With this appointment comes great responsibility, and the policies will need to be drafted and implemented relatively quickly.
If your organisation is relatively disorganised in its data management, which, let’s face it, most of us are, then you’ll be faced with an immense undertaking in order to comply with either of the two pieces of legislation. A handy way to get to grips with the data in your organisation, may be to utilise eDiscovery platforms, and contract management software (for more on this, see our article on the GDPR and eDiscovery). However, given that the GDPR deadline is less than a year away, and given that the POPIA countdown could begin at any moment, the compliance task faced by organisations falling within the scope can be rather daunting.
With so little time left to comply, it is advisable that organisations act fast and seek alternative solutions to implement a data protection framework. It is a massive administrative undertaking for organisations who have yet to think about their data protection policies, and one that many would rather push aside than deal with. The undertaking is luckily one that can easily be outsourced; allowing organisations to focus on their business, rather than worrying about the time-intensive, administrative checklist that must be followed to comply with POPIA and/or GDPR.
These tasks are second nature to Cognia Law and our experience in dealing with large compliance projects of this type, is extensive. Cognia Law provides a detailed and effective GDPR and POPIA offering, including a full audit of your platform’s GDPR and POPIA compliance. Our scalability and access to skilled resources allows us to meet our clients’ varying demands and allows us to work to very strict timelines. Our experienced team is composed of experienced lawyers and paralegals, allowing us to provide a comprehensive, professional and, most importantly, effective solution to your compliance needs.
For more information contact Yvonne Lazarowicz on [email protected] or Justin Ridl on [email protected].
You can also follow us on Twitter and LinkedIn or visit us here: www.cognialaw.com