By Maeson Maherry
Protection of Personal Information Act (POPIA)
The passing of the Protection of Personal Information Act (POPIA) was aimed at securing and protecting consumers’ and companies’ personal information. In adhering to POPIA, businesses should consider several factors to avoid being in violation of the provisions of POPIA.
In order to achieve the protection of consumers’ personal information, POPIA sets conditions for when it is lawful for someone to process someone else’s personal information. As such, becoming compliant will impose an increased governance duty on companies, which in turn will inspire trust in an organisation.
Essentially, POPIA is set-up to protect people from harm by protecting their personal information. With the proper cyber security measures put in place, consumers’ identity will not be stolen, which is important in protecting their privacy.
Section 19 of POPIA has established a comprehensive set of cybersecurity and data protection duties for responsible organisations. At a primary level, organisations are required to secure integrity and confidentiality of personal information in their possession and under their control by taking all appropriate, reasonable, technical and organisational measures.
Top five things to consider in your POPIA compliance:
- Train personnel: Privacy awareness amongst your team is an ongoing effort. Training is meant to communicate the organisation’s privacy policies and processes, such as data collection and retention, breach or incident reporting. With regular, bite-sized and engaging training, you can ensure that end-users are reminded of their responsibilities on an ongoing basis, as well as receiving advice on how to put security into practice in their day-to-day work lives.
- Appoint an Information Officer: The Information Officer is entrusted with great responsibility and a duty to ensure that the organisation complies with both POPIA and PAIA. Depending on the size, scope, and function of your organisation, appoint either a dedicated POPIA compliance officer or a full team.
- Assign responsibilities: Each business unit or department can start with personal information audits to map what personal information is processed by the business. Determine who is responsible for the collection, processing, storing, managing or destruction of personal information.
- Analyse what and how Personal Information is processed: Use a broad definition of record types as per POPIA (e.g. CCTV, biometric). Look at various aspects as required by POPIA (including consent, purpose, source, sharing, destruction). Also consider user rights and their management, as well as thinking broadly in terms of the types of devices where data is stored – and represents a security compromise risk.
- Implement POPI Act compliance policies: The best way to go about this is to draft a privacy policy that is applicable to your organisation. In doing so, ensure your policies are reasonable and appropriate and make sure your policies are enforceable.
Organisations should have practical compliance measures and employ understandable language in their privacy notices. This will help to ensure compliance, avoid penalties, reputational damage and putting their clients at risk.
Enjoy the May 2023 edition of Public Sector Leaders:
.svg)
.svg)
.svg)