Does your organisation meet all the requirements for compliance with Popia?

The Protection of Personal Information Act is a data privacy law that complements section 14 of the constitution, which provides that everyone has the right to privacy.

The act, better than as the Popi Act or Popia, applies to any organisation that functions within the borders of South Africa, or which is not housed in South Africa but processes the personal information of individuals in the country.

Popia places liability on organisations when they collect, store, evaluate and manage personal information. It also takes precedent over other laws that regulate the processing of personal information.

But how does an organisation implement Popia. The exercise should be seen as a full, integrated process that focuses on an organisation’s risk governance framework.

A successful implementation establishes a purposeful team, which supports the transformation of the organisation. The framework should provide a strategy that the entire business can focus on.

Oversight

Your implementation programme must allow for an organisation-wide oversight as well as programme-level reporting and escalation. The programme must also investigate privacy risk management — privacy risk needs to be well looked after, with the privacy framework working hand in hand with the risk and control framework. Roles and responsibilities should be clearly defined.

The implementation programme should be part of the organisation’s data management and information security framework to protect and manage personal information throughout the processing life cycle. Your information security framework should offer suitable data protection controls to secure the data when resting, when in use, and when data is being transferred outside the organisation’s boundaries.

Your organisation’s culture and its people should be familiar with the privacy framework. And your employees should receive ongoing awareness programmes and training.

How to be compliant

Several organisations are faced with the challenge of achieving and maintaining compliance; we are here to educate and assist you in getting there.

As an organisation, you need to ensure you have a formalised Popia compliance programme.

It is essential to appoint an information officer. Ensure this individual is appointed legally. Next, perform a gap analysis. You can contact us at Clyrofor to perform a thorough gap analysis that will make it easy to use an evidence-based approach when implementing your programme. You can also use the results from the gap analysis for ongoing compliance monitoring.

Further analyse what and how the personal information is processed in your organisation, use various record types, monitor the various aspects that are required by Popia, implement user rights and, lastly, think outside of the box when looking at data storage.

To ensure that your organisation is compliant, implement Popia compliance policies. Go back to your policies and review existing and relevant ones, ensure they are reasonable and appropriate, design your privacy notices for diverse stakeholder groups, and make sure that you can enforce policies with no hindrance.

Important

It is also important to train your stakeholders on their roles in being Popia compliant. Feel free to contact us to enquire about our training programme — Clyrofor has a programme that will assist you in raising awareness and ensuring that your organisation can leverage various methods of training.

Ensure that being Popia compliant becomes the new normal and your employees or stakeholders are accustomed to this new way of working. Remember that Popia was judiciously considered over the years to guarantee that, when fully applied, it reflects best international practice.

To ensure your organisation is compliant, you need to take appropriate reasonable technical and organisational measures to prevent the loss of, or unlawful access to or processing of, personal information. Clyrofor is here to help you get compliant and avoid administrative fines of up to R10-million. To connect, simply send us an e-mail at [email protected].

About Clyrofor
Clyrofor is a cybersecurity company with ample experience in managing, deploying and supporting complex technological environments and solutions across various sectors. Our knowledge and experience enables us to meet the ever-present online security challenges through practical solutions. Clyrofor was established in 2014 by a team of informed ICT professionals with extensive experience. Our sectors covered include telecommunications, beverages, financial services and engineering. We are also equipped to serve companies in the public sector, too — our credible references can attest to this.