Sustainable POPIACompliance
The commencement date of the remaining provisions of the Protection of Personal Information Act 4 of 2013 ("POPIA") was proclaimed on 1 July 2020. That means your organisation would have to be POPIA compliant by no later than 30 June 2021.
Failure to adhere to the requirements of POPIA (and where applicable the EU General Data Protection Regulation ("GDPR")) could lead, not only to fines, penalties, damages claims and potentially imprisonment for certain officials, but will also have a catastrophic impact on the organisation’s brand and reputation.
POPIA implementation and compliance will not be unique or entirely novel exercise. The EU recently implemented the GDPR and we learnt that either companies did not give themselves enough time to prepare in order to meet the compliance deadline or that those companies that did meet the compliance deadline, feared that they will not be able to sustain compliance.
Becoming compliant merely to pass an audit is easy, maintaining compliance is another challenge. It is easy to draft all the right policies that address all the right issues and to post those policies on a website and quickly email it to all employees. It may also be relatively simple to update some software and security measures. However, such quick and simple compliance tactics may not be sustainable. What happens after the “audit”? Everybody goes back to old habits.
Regulation 4 under POPIA provides that an information officer must ensure that:
· a compliance framework is developed, implemented, monitored and maintained;
· a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
· a manual is developed, monitored, maintained and made available as prescribed in section 51 of the Promotion of Access to Information Act 2 of 2000;
· internal measures are developed together with adequate systems to process requests for information or access thereto; and
· internal awareness sessions are conducted.
It is clear from Regulation 4 that being compliant is an ongoing process and includes the continued monitoring and maintenance of compliance, impact assessments to ensure compliance and ongoing training and awareness campaigns to remind employees of compliance.
We suggest some basic guidelines to assist with sustained compliance:
1. It’s a mind shift. Many organisations (and employees) have been following the same processes for many years. Change is never easy, we are creatures of habit after all. However, sustained compliance requires a willingness to truly change behaviour. This requires buy-in at all levels (starting at top management) and it also requires an understanding of why we need to change our ways. This is why effective training, from the start, is critical.
2. Create a culture of compliance. No sustainable compliance program could be successfully implemented without a culture of compliance. To be clear, paper compliance or once a year “let’s get ready for an audit” is not a culture of compliance. A culture of compliance is where compliance is embedded into everyday workflow. Most importantly, a culture of compliance is an attitude observed from management.
3. Know your data. Sustained compliance requires ongoing knowledge of your organisation’s data and data flow. In this regard, building a data inventory and data flow process is critical. Depending on the size of your organisation and the number of business systems, you could do this manually, but most companies would benefit from an automated process that allows ongoing visibility into and the monitoring of business systems and processes.
4. Know what to do. It is your responsibility to ensure that your employees know and understand exactly what is expected of them. They should be confident in dealing with various data privacy issues, or at least know who to contact if they are not sure. This could be achieved through effectively implementing clear and user friendly policies and providing ongoing training and awareness campaigns.
5. Know what your service providers are doing. It is your responsibility to ensure that your service providers process data on your behalf in compliance with POPIA. It is therefore important to ensure that your service providers have also implemented sustainable compliance programs. Importantly, you need to ensure that you have secured the proper contractual obligations in respect of your service providers to ensure that your service providers are working toward or are achieving the same standards as your company when it comes to processing personal information on your behalf.
By Wilmari Strachan