The eleventh hour is upon businesses who are not POPIA (Protection of Personal Information Act) compliant.
By Rian Schoeman, head of legal and chief privacy officer at LAWtrust
The effective date of 1 July is upon us. Your business should have already started its compliance journey, as it will at least help lessen the risk of cybersecurity breaches.
Securing your data will help your business be in good standing with local and international partners. This will also enhance the reputation of your business and exempt you from fines and non-compliance.
Here are six steps your business can take before 01 July to be POPIA compliant:
Encrypt everything
One of the major requirements under POPIA is to ensure that you apply Generally Accepted Information Security Protocols. While these requirements are not the same for all organisations, some may apply to most businesses. One of these is that you need to secure all places where you store personal information: lock away any paper or file that contains customer information and limit access to the keys.
When it comes to computers, cell phones and servers, they need to be encrypted. Many versions of Windows have built-in encryption, but if you do not use one of those versions, it is time you start looking into encryption for your computers. At least all modern cell phones can be encrypted, and all mobile devices that process personal information need to be encrypted.
Train your staff
Now is the time to give your staff proper POPIA compliance training, if you have not done so. With the POPIA effective date coming closer, more people are claiming to provide compliance training. If you, like me, receive several emails a day offering POPIA training, but they do not even state who the trainers will be, you have a cause for concern. This is why it is crucial to verify trainers’ credentials.
Enter into data processing agreements with operators
POPIA requires a Responsible Party (the party that determines what to do with the personal information) to enter into written agreements with any other parties that will be doing further processing on their behalf. These agreements need to state how these operators will be required to process the personal information.
Please note, this is not a contract with your customer; but these concern organisations handling personal information on behalf of your business.
Get consent now
If your business is planning on engaging in direct marketing, POPIA is very strict about requesting and getting consent from people outside your contact or customer list. The website of the Information Regulator contains sample documents of such a request, which may be sent via email as an alternative.
Also, keep a record of all such requests and responses, as you are not allowed to advertise directly to people that have not expressly opted in on these requests. Failure to reply to the request does not equate to consent.
Get some sort of database in place to record requests from data subjects
POPIA guarantees data subjects or the people whose information will be processed the rights of access to, correction, or deletion of their personal information. All such requests must be recorded and stored, as well as the action taken. Please note that not all deletion requests have to be adhered to, such as when you are required to process the personal information in terms of a contract.
Update your PAIA manual
The Promotion of Access to Information Act (PAIA) requires all companies to have a PAIA manual, but POPIA has added several requirements.
It is, therefore, very important to ensure that you update your PAIA manual to become compliant with POPIA. This exercise is not as easy as it may seem at first. If you have the funds, hire reputable experts to draft one for your company. If not, refer to the publicly available PAIA manuals of large South African corporations for guidance.