We have been awaiting a proclamation about the commencement of the operational provisions of POPIA. The provisions regarding the establishment of an Information Regulator were commenced in 2014 to enable the regulator to be ready to properly implement and assume its powers and duties. The remaining provisions of POPIA are to commence on 1 July 2020 with a one-year grace period being implemented to allow for organisations to become compliant.
So, what now? Although it is important not to panic, it is similarly important that steps are taken as soon as possible to ensure readiness ahead of the end of the grace period. We recommend that at a minimum the following is done. Once the minimum requirements have been put in place the appropriate audit and training within the organization can be undertaken to help demonstrate compliance.
1. Personal Information Guide:
a. Setting out legal requirements in POPI and translates into actionable steps and procedures that must be followed by employees, service providers and contractors who process personal information and sets out the disciplinary steps and penalties that will apply if the policy is not followed.
2. Clause consenting to non-compliance: notification in terms of Section 18 (4).
3. Appoint an Information Officer in writing (CEO will be default Information Officer).
4. Information Security Policy:
a. Setting out the physical, technical and people-based safeguards you have in place to protect the confidentiality, integrity and availability of important information systems, electronic and manual.
5. Record Retention Policy:
a. Setting out the requirements and time periods for creating and keeping certain records to meet regulatory requirements and for important evidential reasons. It also sets out the procedures for proper data disposal, de-identification or return.
6. Draft Privacy Policy and Notices for all websites that set out what personal information may be collected; your processing activities; the data subject’s statutory rights, including their right to access and correct their information; and the relief available if their personal information is misused or their legal rights are abused.
7. Draft PAIA manual to align with POPIA.
8. Audit and amend the terms of your service contracts with suppliers and downstream service providers to make sure they contain various important contractual protections and the security safeguards that the operator needs to have in place.
9. Update employment contracts.
10. Update standard company agreements.
11. Create more detailed policies or guidelines to deal with specific privacy issues, including:
a. Mobile device policy;
b. Transfer of data policy;
c. Data subject request for information.
Privacy Packs for Purchase: Helping you implement all of the above
We understand that this may feel like a lot to implement and achieve all at once both from a financial as well as an operational perspective so we have broken the basic implementation down into core sections and created privacy packs to implement in each section.
You have the option to purchase and implement all or only some of the core sections and can do so over time. If you have done quite a bit of data privacy work within your organisation already, we can also assist you with doing a gap analysis and then build a pack specifically designed to meet the gaps identified. Please feel free to contact us for a quote.