Does your organisation comply with the POPI Act yet?
The Protection of Personal Information (POPI) Act, now a legal requirement for all organisations enforced from 01 July 2021, aims to promote the protection of personal information processed by public and private bodies and to regulate the flow of personal information in South Africa, and cross border for that matter, in accordance with GDPR (General Data Protection Regulation).
By: David Elliot – Managing Director ISO SHERQ Holdings Pty Ltd
Strict penalties will be levied against organisations and individuals that intentionally continue to ignore the correct governance when interacting with individuals and their information.
Personal information has become one of the most powerful commodities in the world we live in today. In this age of data privacy and processing information, every time you process personal information you will be subject to the data privacy and protection laws (POPI or GDPR).
The POPI Act, falling into the broader Constitutional right to privacy, applies to any person or organisation who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently.
In simple terms, the purpose of the POPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information, by holding them accountable should they abuse or compromise your personal information in any way.
If an organisation, or person, is alleged to be in breach of the POPI Act, a complaint may be submitted to the Information Regulator. This complaint will be dealt with by an adjudicator. If a person is not happy with the determination of the adjudicator, they can still approach the Information Regulator for another ruling.
Compliance with the POPI act is established through:
Gap Analysis
Assess the current level of compliance and identify vulnerabilities and risks in respect of POPI.
Policy Review and Drafting
Develop internal ethical standards for the processing of personal information through the drafting or review of privacy policies, information security procedure policies, incidence response policies and access to information manuals, you create a structure in which compliance can be managed, monitored and maintained.
Compliance Management Plan
Create and implement a compliance management plan to actively manage compliance with POPI.
POPI Practical Guidance
Define what POPI means to you. The first step in achieving this is through defining and providing clarity on what POPI is. Then, together with the responsible parties and operators, create awareness and understanding of why the protection of personal information is necessary.
Third Party Reviews
Conduct reviews of customer-facing documents and service provide agreements to ensure compliance, following a detailed written report setting out what information is processed, details of the third parties processing the personal information and make recommendations in respect of: the adequacy of cover provided within the contracts in respect of the protection of personal information; compliance with POPI and how the cover could be improved to ensure adequate control in respect of the POPI Act.
ISO-SHERQ Holdings Pty Ltd can assist you with your POPI act compliance requirements at a very reasonable and value adding cost.
Contact us on +2764 908 6579.