One of the often held and very mistaken beliefs is that compliance with the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) (‘POPIA’) is something you do once and lasts at least once a year. In reality, compliance is a moving target which shifts with the nature of your processing activities.
So what can and must you do to keep abreast of this moving target? The simplest way is to perform a processing impact assessment. From a South African perspective, one of the core responsibilities of an Information Officer is to conduct an impact assessment to ensure that adequate measures exist to comply with POPIA. See Regulation 4(1)(b) of POPIA: Regulations relating to the Protection of Personal Information. Consequently, an impact assessment is compulsory in terms of POPIA.
So, how do you do an impact assessment and what can be achieved?
An impact assessment is a process designed to assist an organisation in identifying their processing activities, the risks associated therewith and how they can minimise these risks. It is good practice to conduct an impact assessment for processing that is likely to result in a high risk to the data privacy rights of individuals or where you embark on a new avenue of business be that a new product or service or a different marketing strategy. In addition and specifically from a data security perspective, it is also good practice to conduct an impact assessment for any new project which requires the processing of personal information.
An impact assessment must –
- describe the nature, scope, context and purpose of the processing;
- assess the level of compliance with POPIA;
- identify and assess risk to individuals; and
- identify measures to mitigate against those risks.
Impact assessments give effect to the data “privacy by design” principle enshrined in the GDPR and recommended in terms of POPIA in that it assists with –
- putting in place appropriate technical and organisational measures designed to implement the data protection principles effectively as required by POPIA; and
- integrating safeguards into processing activities so that an organisation meets the requirements for compliance and balances processing with the protection of individual rights.
An impact assessment helps with identifying the processing activities and enhances an organisation’s understanding of data privacy risks within their organisation and enables an informed communication with all impacted parties and with relevant stakeholders. An impact assessment can also help not only in compliance with obligations under POPIA but also by reducing operating costs by eliminating the unnecessary collection and processing of data.
Let us know if you would like us to help you with an impact assessment in your organisation.