All entities need to be ready for Popi Act at end of June
Advertisement
All entities that deal with people’s personal information must be ready to comply with the Protection of Personal Information (Popi) Act by 30 June when several provisions come into operation.
Sections 2 to 38, 55 to 109, 111 and 114 of the Popi Act came into operation on 1 July 2020, with section 114 giving entities 12 months to get ready to comply with the act from 1 July 2021. They will now have to protect our constitutional right to privacy by safeguarding our personal information.
The Popi Act is a crucial statute for organisations to get right, not only because the Fourth Industrial Revolution is all about data and information, but also because a breach of the Popi Act could result in imprisonment and fines, says John Botha, chief operating officer of Global Business Solutions.
He says the implementation of the Popi Act has many firms paralysed. “However, this elephant must be eaten piece by piece and there is still time to comply by 30 June 2021.”
He suggests entities use the following checklist to ensure they are ready:
Appoint an information officer (IO) in writing, unless this person is the CEO, in which case the appointment is automatic. Deputy IOs can be appointed if necessary.
Register the IO and DIO on the Information Regulator (IR) website and get your certificate of registration.
Draft or update your Popi policy and practice manual.
Draft an incident response plan that will set out the procedure that will be followed when personal information (PI) under your or your operator’s management and control is compromised.
Draft or update your privacy policy for your website and business.
Set up training sessions for managers and staff who process PI and have them sign an attendance register, as well as the annexure to the employment contract on Popi and hand out copies of the Popi policy for their reference.
Ensure your section 51 PAIA manual is available on your website.
Identify all operators as defined in the act and ensure you enter into or obtain their contractual terms regarding Popi. This must include that operators must guarantee that they comply with Popi and related PI statutes and that they will immediately advise you if the information you provided is compromised while in the hands of the operator. This important because you, as the entity, will have to report the data breach to the Regulator and contact the impacted data subjects.
Ensure that you make provision for data subject participation. Remember that the Popi Act gives all previous, current and past suppliers, employees and clients or customers the right to participate in their data. This basically means you must have a simple and effective channel that is recorded that allows them to contact the IO/DIO to request that their information be updated, deleted or destroyed. They must also have the opportunity to object to the information, complain about it or opt in/out for e-marketing purposes.
List all systems, technology and programmes you use and have your IT department give written assurance that all is in order, such as firewalls, anti-virus programmes, user access, back-ups and encryption.
Design an impact assessment matrix that requires each function to identify processes that they engage in that process PI. Then ensure the systems and staff conduct is up to scratch. If any PI is sent across our borders, special PI is dealt with or under 18-year data subjects are involved, the necessary Popi provisions must be complied with.
Botha also reminded entities that all new data subjects must give their permission for e-direct marketing before you send out marketing collateral from 1 July 2021.