South Africa’s Protection of Personal Information Act (POPIA) came into force on 1 July 2021. The purpose of the law is to ensure that personal information is kept safely by organisations who collect it, not sold to third parties, not lost and not used or held for longer than was originally necessary.
The extent to which POPIA is going to affect your business will depend on how your data-related processes and operations align with the core principles of the law – so it’s crucial to know the principles.
These are the eight principles:
Principle 1 – ACCOUNTABILITY – the head of the company is ultimately responsible for complying
Principle 2 – PROCESSING LIMITATION – personal information usage must be lawful, with the minimal amount of information necessary
Principle 3 – PURPOSE SPECIFICATION – personal information must be collected, used and retained for a specific purpose, related to your organisation’s activity
Principle 4 – FURTHER PROCESSING LIMITATION – further processing of the information must be compatible with the original purpose for collection
Principle 5 – INFORMATION QUALITY – the personal information must be kept up to date, complete and accurate
Principle 6 – OPENNESS – there are things you need to tell the person when you collect their personal information
Principle 7 – SECURITY SAFEGUARDS – measures must be taken to prevent loss of, or unauthorised access to, personal information
Principle 8 – DATA SUBJECT PARTICIPATION – the information does, after all, belong to someone else, and he or she must be able to access it
These principles inform the actions and procedures your organisation needs to take to become, and remain, compliant with POPIA, so your compliance journey is dependent on knowing them.
What must I do to meet the principles of POPIA?
First you will need to create a compliance programme that takes all eight principles into consideration, from both organisational and technological points of view. You will start by assessing how data flows through your organisation and working out what needs to change and what needs to be implemented.
In creating your compliance programme, you will make provision for:
- Consent management
- Electronic marketing
- Human resources
- Information technology and security
Your programme will also need to:
- Document the flow of personal and sensitive data
- Satisfy governance requirements
- Ensure employee awareness of data privacy
- Provide for data subject access requests
- Facilitate breach logging and management
The task may seem daunting at first, but it becomes straightforward with compliance software, which gives you the tools to assess how data flows through your organisation and then work out what needs to change or be implemented for your particular setup.
If you’d like to chat about what a compliance programme for your organisation would entail, we’re here to help.