ReynoldsAttorneys-logowebsite

POPIA Impact Assessments – An Ongoing Requirement

One of the often held and very mistaken beliefs is that compliance with the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) (‘POPIA’) is something you do once and lasts at least once a year. In reality, compliance is a moving target which shifts with the nature of your processing activities.

So what can and must you do to keep abreast of this moving target? The simplest way is to perform a processing impact assessment. From a South African perspective, one of the core responsibilities of an Information Officer is to conduct an impact assessment to ensure that adequate measures exist to comply with POPIA. See Regulation 4(1)(b) of POPIA: Regulations relating to the Protection of Personal Information. Consequently, an impact assessment is compulsory in terms of POPIA.

 

So, how do you do an impact assessment and what can be achieved?

An impact assessment is a process designed to assist an organisation in identifying their processing activities, the risks associated therewith and how they can minimise these risks. It is good practice to conduct an impact assessment for processing that is likely to result in a high risk to the data privacy rights of individuals or where you embark on a new avenue of business be that a new product or service or a different marketing strategy. In addition and specifically from a data security perspective, it is also good practice to conduct an impact assessment for any new project which requires the processing of personal information.

 

An impact assessment must –

  • describe the nature, scope, context and purpose of the processing;
  • assess the level of compliance with POPIA;
  • identify and assess risk to individuals; and
  • identify measures to mitigate against those risks.

 

Impact assessments give effect to the data “privacy by design” principle enshrined in the GDPR and recommended in terms of POPIA in that it assists with –

  • putting in place appropriate technical and organisational measures designed to implement the data protection principles effectively as required by POPIA; and
  • integrating safeguards into processing activities so that an organisation meets the requirements for compliance and balances processing with the protection of individual rights.

 

An impact assessment helps with identifying the processing activities and enhances an organisation’s understanding of data privacy risks within their organisation and enables an informed communication with all impacted parties and with relevant stakeholders. An impact assessment can also help not only in compliance with obligations under POPIA but also by reducing operating costs by eliminating the unnecessary collection and processing of data.

Let us know if you would like us to help you with an impact assessment in your organisation.

About the author

Sián Fields (Copyright IP & Technology, Data Privacy and Commercial Law Specialist)

Sián Fields is a Reynolds Attorneys consultant specialising in copyright IP and technology law, data privacy law and commercial Law. She has an LLM in Commercial Law with a specialisation in Electronic Law, and has extensive experience in information technology and telecoms, and offshore and local data privacy laws.

Contact Us

+27 84 556 8309
info@reynoldsattorneys.co.za

Connect with us

Address

We are based in Cape Town but operate as a virtual office.

Navigation

Home
The Firm
Meet Our Consultants
Legal Services
Clients

Blog
Contact Us
Legals
Privacy Policy

Receive the latest industry news

Sign up to our newsletter today

Subscribe
We respect your privacy. See our Privacy Policy. We will only email you a few times a month and we won’t share your email address with anyone.

Nicole Copley

NGO law

Nicole Copley is an NGO lawyer who works for NGO clients all over South Africa and internationally. She qualified with a BA LLB LLM (Tax) from the University of KwaZulu-Natal, Durban (with a Masters in tax exemption), and is a Master Tax Practitioner SATM.

Nicole advises on, drafts and amends founding documents for and sets up every sort of organisation required by South African NGOs. She makes tax exemption and 18A (deduction of donations) applications, and applications to be registered with the Nonprofit Organisations Board. She (and her team) keep registrations up to date and assist with compliance and reporting. She also NPO reporting and other services. She advises on re-structuring and assists not-for-profits in understanding and applying the useful provisions of B-BBEE.

She also does commercial drafting work for her NGO clients, vetting and drafting agreements for them. She works for a wide range of types and sizes of organisations and aims to provide a pragmatic and efficient service. Her decades of experience in consulting to NGOs means she takes the long view, is focused on governance, ethics, credibility and sustainability and steers clients away from quick fixes, helping them build/renovate so that the organisation outlasts current office bearers.

Nicole works with other consultants to the not-for-profit sector, collaborating on training, newsletters, advising government on legislation for the sector and, most recently, a series of practical guides for the sector, called “NGO Matters”, originally published by Juta but now published by Nicole as NGO Matters Publications.

She has been a consultant since 2019.

  • info@reynoldsattorneys.co.za