POPIA Compliance FAQ
This is a cloud-based POPIA compliance management solution that is implemented and maintained by your company. The solution helps you understand POPIA’s requirements and enables you to demonstrate compliance with those requirements.
Organisations must demonstrate compliance against POPIA’s processing conditions, e.g.
– lawful processing
– lawful and limited purpose
– security of information
– information quality
There is no cyclical audit as such. You may be ‘audited’ if there is a breach or if a complaint has been laid against your company. The Regulator invokes the audit.
Our solutions enables your POPIA compliance program to do this.
If you have employees, you are a Responsible Party and must comply.
POPIA’s definition of personal information includes the PI of ‘juristic persons.
personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person
there are 2 aspects to POPIA, employee personal information, and customer personal information. So the second aspect does apply to you. But the Micro product should suffice in your instance.
We assume your mean personal information?
It depends on who is asking for the personal information, whether there is a lawful reason for their asking, why they are asking, and what personal information they are asking for.
Ours is the ideal solution to complement your consulting service to your clients. Contact us to discuss further.
We do offer a referral program, but the compliance program access and ownership will still reside with the company (client)
Whether you are a sole trader, a partnership, or a company, you need to comply if you collect and use people’s personal information.
It would appear not to be the case. However, the best is for you to register on the Information Regulator’s portal to see whether it accepts other than SA ID details. You may register here.
Proper destruction of data is important to the condition for security of personal information.However, this is something best answered by your IT department or whomever manages your IT services.
Our service is complete in respect of POPIA’s requirements. In fact, POPIA does not stand alone. It is dependent on PAIA when it comes to managing data subject access requests. The beauty is that you will find the PAIA rules and procedures built into our service.
Besides having to comply as a Responsible Party, it is likely that you will be seen as an Operator because you process their payrolls. There would have to be an Operator contract between you and your clients. It is left to your clients to make sure that this contract exists. Talk to us, let’s see how we might assist.
There are several scenarios where you are able to retain personal information of past employees. In some cases it could be required by law, in others it could be because you have the past employee’s consent e.g. in your example of providing references.
Have your registered with the Information Regulator?
Do you properly inform people when you collect their personal information?
Are you collecting their personal information lawfully?
Are your employees up to speed in terms of their responsibilities?
Can your client easily make requests to access their personal information and do you have a procedure for responding?
Are you able to properly respond to a security incident involving personal information?
These are some of the ways.
You need to be GDPR compliant if you are doing business with EU and UK residents. Talk to us about the related compliance platforms.
The micro package costs R225 billed monthly or R2495 billed annually. You can see whether you require the micro or full package by filling our survey here.
the training product has two options: Senior employee Training @ R650 per candidate, Standard Employee @ R490 per candidate.
Find our course pricing here.
Start with the IO (information officer) first, we would suggest Senior course for them, then potentially any appointed deputies. Any other employees can be taught in-house, or opt for the Standard employee package.
Micro is definitly not recommended for your company.
Given your type of business, we wouldn’t recommend the Micro version off the bat.
We would love to have a more detailed discussion because the discussion might go beyond just protecting basic information.
That’s correct. We’ve heard this from other clients. There’s no word from the IR yet. Is there anyone else you might be able to appoint as the IO for the 2nd entity?
We only offer referrals for this product for now. It will be 10% per month for the first year.
No, unfortunately not.
Here we are not responding on behalf of a Micro client. If the program lead has a detailed understanding of POPIA’s requirements and if the preparation for data mapping is efficient, it is easy to setup. Then comes the ongoing cycle of compliance – it’s up to each organisation to determine that cycle. Where consultants could get involved is with managing data subject access requests. Or, if IT is outsourced, the service provider could be setup as a task owner under Security Controls.
Cloud-based service providers are largely viewed as Operators. You set these up during your data mapping and then you use the Operators section to manage operator contracts.
POPIA is compulsory if you collect and use people’s personal information
You will only register as Information Officer.
personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person
This so covered by POPIA’s processing conditions. Each scenario must be examined – case by case
sole traders, partnerships and juristic persons (companies) are all in scope.
Our solution provides you with all the evidence you need. You just need to be careful about whether you must use the Micro solution or the regular platform. We can help you decide.