MD’s email sent out for this post | https://bit.ly/39Tf5hF
The POPIA (The Protection of Personal Information Act) compliance deadline is 30 June 2021. If you have not yet attended to the development of a POPIA implementation and compliance framework to ensure that your business complies with POPIA, you should act now.
Compliance with POPIA, is mandatory for any individual or entity (the “responsible party”) who processes and records personal information. Responsible parties must be fully compliant with the provisions of POPIA by 30 June 2021 and ensure that the internal business processes, policies and practices are in line with the provisions of POPIA.
POPIA requires every responsible party to nominate and appoint an Information Officer who is responsible for the implementation of POPIA and who ensures that the responsible party remains compliant with the Act.
Under the PAIA (the Promotion of Access to Information Act), the head of each organisation is automatically assigned the position of Information Officer. While the role of the Information Officer has expanded under POPIA, the Information Officer is required to be appointed with the Information Regulator from 1 May 2021. The company may also appoint as many Deputy Information Officers to assist the Information Officer.
Expanding on the responsibilities under PAIA, the Information Officer, together with the Deputies, are responsible for encouraging compliance with the conditions of the lawful processing of personal information within the entity, dealing with any and all requests, working with the Information Regulator and ensuring that the entity complies with the provisions of the Acts.
The following is a very brief outline of what you need to action before 1 July 2021:
1. Appoint an Information Officer – a representative within the company, usually the CEO, unless stated otherwise
2. Create awareness – your employees need to be trained after appointing the Information Officer
3. Impact assessment – audits should be conducted to understand the flow of data within the company – this includes how it is collected, who collects it, where it is stored, what it is used for and how it is retained or discarded – and if any gaps are identified, an action plan needs to be developed and implemented to improve the data protection
4. Data protection policies and regulation adherence – after gaps are identified, you will be able to draft security policies that outline how the personal customer information will be stored, processed and secured – regulations should include an outline plan indicating the procedures in the event of a data breach and the policy and plan should be communicated to employees
5. Invest in the appropriate resources – you may need to adjust policies and procedures within your business including updating employee contracts, supplier agreements and marketing communications (opt-in and out practices)
6. Other resources that should be considered are website security, anti-virus and malware protection, cloud-based security and email gateway security
Every business is unique in its functioning and operations and therefore has different needs when it comes to POPIA implementation. With this in mind, we are able to refer you to an alliance partner who has assisted us with our own tailored POPIA implementation.
Please contact us for assistance before you run out of time!
Stephanie Phillips | Company Secretary
