The anticipation is over. The South African government confirmed on June 22nd, 2020 that POPI regulation will be in effect from July 1st, with some elements of the legislation coming into force on July 1st, 2021. [Source].
If you are not already compliant; there is no need to panic. You still have 11 months (from August 2020) to get up to speed. Here are the basics, 4 key steps and common areas that need attention.
The Protection of Personal Information Act applies to all foreign and local business acting within South Africa whether you have one employee or one hundred.
POPI is simply the legal framework instructing on the minimum requirements necessary for accessing, processing, storing, or collecting data.
Personal data is defined broadly by the act as any information which can be used to ‘identify’ either an individual person or an organization. The scope it covers is broad and includes everything from religion to health status. For Act specifics or to browse the full text of the Act – click here.
Gears in Motion
The fairly long gap following the Acts introduction in 2013 and its recent implementation; allowed for many companies’ compliance projects to slide down the to-do-list. This is especially true for small and medium size business with tight budget controls and competing priorities. However, with less than a year to go; now is the time to fire up the engines and get gears into motion.
Operational Readiness is achievable; here’s where to begin.
*Nervous about whether you can comply? Here are two case studies regarding the process of going paperless via Digitalization: one bank and one NGO. You too can protect personal information in a digital world.
Where to Start?
First, we suggest an up-to-date gap analysis. This will supply specific information regarding where current practice falls short and paint a detailed picture of what needs to be addressed to meet the deadline fully prepared. Secondly, NCX recommends an information mapping exercise. In this, chart and track the information channels in use currently. What data is processed and how is data managed within the company and externally? Where is it stored? Have you identified security risks and defined user rights? Next, formalize your compliance project and begin implementing compliant policies to demonstrate that you are making achievement of compliance a priority.
NCX can refine your existing network or construct a new one such that your business is completely POPI compliant for complete peace of mind.
Common areas of concern where businesses may need to strengthen their compliance include:
• Measures that prevent and protect from unauthorized access of information. (technical and organizational implementation)
• Ensure all agreements are up to date and thorough.
• Relevant privacy notices and consent documentations are prepared.
• A culture of valuing privacy fostered with training and up-to-date policies and procedures.
• Breach/incident response plan.
4 Keys Steppingstones to POPI Compliance
1. Strict Data Protection Protocols: NCX will remove the guesswork and ensure company policies and regulations are up-to-code.
NCX professionals know what it takes to ensure that data collection, protection, and data management meets compliance regulations.
NCX will also formulate an adequate breach or incident response plan. We will train and educate staff; so that all parties grasp the implications of a leak regardless of whether it is from accident or criminal intent.
2. Secured Access Points: Practically this translates into elements such as monitored access, scheduled password changes, and vigilant educated employee users.
NCX will refine your existing framework or construct a new one to provide POPI compliant secured access.
Layered security access critically defends your data against Ransomware, hacking and the like.
*Don’t forget to take Remote and at-home employees into consideration. As a business you remain responsible for Client’ and Employee’ Data regardless of how your employees access it or what devices they access it from. To discuss the potential working solutions, simply click here.
3. Systems and Technology Devices: On-site or hosted infrastructure which encompasses email security, backup and archiving systems is key to facilitating compliance.
*Learn how Xerox offers built-in compliance within their devices – here.
4. Select an IT partner to safeguard and serve your interests: An Information Officer or IT Support Professional who you can trust simplifies the process from start to finish. Rather than navigating uncharted waters or investing countless hours in becoming an expert yourself, NCX will be of complete service to you. No matter what point your company is at on the road to reaching compliance, NCX can help.
What Happens if my business is not POPI compliant?
Nothing yet, thankfully! As noted, all enterprises have been given a twelve-month grace period (ending July 1st 2021) to put their information processing in order.
Complying with regulations and cyber security protocols is not only the law; it is good business practice and represents sound corporate governance. Remember, POPI might be new for RSA but it is in-line with similar legislation around the world (think GDRP in the EU).
Non-compliance after the grace period expires may result in sanctions or harm to one’s reputation. The Information Regulator is charged with enforcement and handles complaints. Any offence process is likely to commence with the issuance of a compliance order and enforcement notice.
Applicable penalties may follow. These would be dependent on type of infringement. Specifics can be found here.
As tempting as it may be to push compliance into the future to-do list; this is not recommended. Why? It is not in your best business interest. Instead of ignoring the situation, deal with it.
Speak with NCX. We have prepared a unique POPI Compliance Package offering. Our assessment will clarify what the next steps should be. Let our professionals prime your business for the new standard without the hassle.
Contact us on: 010 035 1218