The Protection of Personal Information Act, 4 of 2013 (“POPIA”) is coming, and in a country where our right to privacy is constitutionally entrenched, it makes total sense. Put aside the difficulties faced by the South African Information Regulator, or the time it took for the Regulations to be published. What is it about POPIA that makes some organisations so blasé about putting off implementation?
Beyond defining personal information, POPIA is a cornerstone for the South African concept of modern privacy. It governs the control of personal information in a rapidly evolving world and as there is no privacy without secure data, it expands into the depths of digital infrastructure and information security too (also keep an eye out for the Cybersecurity Bill). When privacy and cybersecurity come together, what started as an exercise in personal information can quickly sprout into a web of digital confusion. The nature of this organisational exercise may cause lethargy to set in, as compliance is viewed as an expensive, high capacity task best left alone until necessary.
POPIA, initially published in 2013, has taken its time, inadvertently affording many years for compliance – which can be quite necessary for many larger organizations. While it is true that there will be a one-year grace period, expected to end June 30th 2021, the Act requires compliance to be “reasonably practicable”. It is unlikely that last-minute compliance will meet this standard, where issues in implementation result in a breach or non-compliance after the grace period has passed. The Information Regulator is already operational and open to complaints. Investigations and prosecution of complaints are underway with existing privacy laws as authority and POPIA considered in terms of public policy. This means that by the time POPIA is entirely in force, the Information Regulator will have its processes refined and ready to go.
Bearing in mind that there is no one-size-fits-all POPIA compliance strategy, how do we light a fire under lethargic companies to tackle their compliancy? Often, all that is actually needed is a transparent, trackable process.
Breaking the process down into smaller chunks helps conceptualise the way forward, providing an overarching structure in a concise and digestible manner – diving deeper into each stage as it’s reached. This doesn’t mean leaving anyone in the dark; instead, it’s a matter of fanning out and clarifying the information. A digestible process might look something like:
STAGE ONE: POPIA AUDIT
Understanding what an organisation’s compliance needs are comes from a clear understanding of where an organisation currently stands. Comprehensive and well-structured audits go a long way, not only in providing you with valuable insight but also helping an organisation see where POPIA fits into its daily operations – dispelling much of the confusion around the need for POPIA. The Act requires a formal Impact Assessment, which fits in nicely as part of the audit process. A basic audit will at least answer the following questions:
- What is the size and nature of the organisation?
- How is personal information processed within the organisation? Is it digital, on paper, or both?
- Where is personal information physically used and stored? Is it on-premise or off-site?
- What type of personal information is being processed? Can any of it be considered sensitive information that carries higher expectations of privacy?
- Is personal information available to individuals on a need-to-know basis only? Who are these individuals with access?
- What is the current level of organisational awareness?
- What measures are in place to protect personal information in terms of cybersecurity as well as physically on the premises (locks on drawers, etc.)?
- What are the existing or potential risks and vulnerabilities?
- Who the Information Officer will be and how many Deputy Information Officers will there be?
Look out for Updraft’s online POPIA Compliance Assessment, due for release in a few weeks. We’ll be offering this interactive tool to our legal colleagues as a FREE resource to assist you in the first stage of POPIA compliance readiness.
STAGE TWO: NEEDS PLANNING AND COMPLIANCE FRAMEWORK
Some organisations will have more onerous compliance obligations than others, depending on the outcome of their POPIA audit. A compliance framework is required to manage risks and will also help establish what compliance will look like and, most importantly, how to go about it. Often, drafting the framework will simultaneously develop the implementation strategy.
During this process, look for ways to lessen the compliance burden on the organisation. For example, the more control given to a data subject over their personal information (i.e. through client portals, etc.), the less of a burden the organisation itself has to meet POPIA’s requirements for up-to-date and accurate information.
STAGE THREE: LEGAL
Any compliance journey will prove futile if an organisation does not have the correct documentation in place to guide, protect and entrench POPIA within it.
As legal practitioners, the task is to ensure an organisation has the right policies, guidelines, contracts and clauses in place to manage risk and liability. Practical implementation strategies involve reviewing contracts and templates for POPIA clauses; drafting POPIA agreements, framework and policy, as well as internal guidelines for ensured compliance.
STAGE FOUR: IMPLEMENTATION
Once all the pieces are ready, it’s time to put them into place. Start with managing expectations: ensure all key individuals within an organisation are on the same page and understand the documentation, the implementation plan, and what to expect from the process. The following elements are essential to a successful POPIA implementation:
Direct involvement of key individuals in the process and understanding that active participation throughout an organisation is necessary:
- Once legal practitioners and compliance managers step back, key individuals within the organisation need to be willing and able to carry the process forward.
Awareness that despite all the measures put in place, the most significant risk of a breach or non-compliance remains the human staff:
- A clear understanding of key terms and concepts across the entire organisation is essential. The risk of an ill-informed workforce is real and may render the whole compliance process futile.
- Ensure adequate and regular training of all individuals within the organisation. This should cover what individuals may and may not do with personal information and what the internal policies actually are. Differentiated training within the organisation, depending on the type and level of access individuals have to personal information, is essential.
- Ensure internal systems contain disciplinary measures and communicate the consequences clearly.
- understand that the process may be frustrating and confusing at times.
A clear understanding that POPIA processes do not have a specified end:
- It is an indefinite, ongoing process that needs to become entrenched in the day-to-day operations.
STAGE FIVE: COMPLIANCE CYCLE AND MONITORING
The POPIA compliance framework should be operating within the organisation well in advance of the end of the Act’s grace period. It is only by allowing the process to run that you will identify gaps or further risks. It’s not uncommon for unforeseen and unexpected compliance issues to arise even a year or more after implementation plans have concluded. With POPIA’s effective date anticipated before year-end, organisations need their POPIA compliance running and watertight as soon as possible.
For obvious reasons, many organisations are moving towards technology to solve POPIA challenges: technology facilitates inviolable controls and processes, ensures transparency and delivers inbuilt data security. If you’d like more information about these legal tech solutions, get in touch with Updraft to see how we can assist you on your compliance and contracting journey.