10 Focus points from conducting readiness assessments:
Written by Karus Prinsloo
POPIA is being phased into operation, with the bulk of requirements becoming effective on 1 July 2020. The act provides for a year’s window period for organisations to comply with its obligations.
Since 2016 we’ve assisted clients from various industries with their preparation to be ready for POPIA. We encountered some focus points, which are applicable to most organisations. We’ll be sharing these focus points from time to time.
- Two sides of a coin
Relook the organisation’s compliance with the Promotion of Access to Information Act (“PAIA”), while working with POPIA readiness.
- Have a plan
A phased approach is important! Identify POPIA’s impact on the organisation, who is responsible for what and by when, to ensure compliance with POPIA.
- Compliance is everybody’s business
Who in the organisation should take the lead with regard to ensuring readiness? Allocate responsibility to a line function or individual who can co-ordinate the organisation’s POPIA readiness drive.
- Who is who
POPIA provides for roles of “data subject”, “responsible party” and “operator”. Identify these role players for all instances of processing of personal information.
- POPIA is about more than the 8 conditions for processing
Identify the circumstances when “special personal information”, as defined by POPIA, is processed. Ensure that such processing comply with the requirements relating to special personal information.
Address the requirements relating to direct marketing, trans-border information flows and automated processing of information.
- Keep it simple: policies and contracts
Prior to developing POPIA specific policies and contracts, ascertain what is currently in place. Obtain advice about the adequacy of POPIA provisions in policies and agreements, prior to developing a “POPIA policy”. It is quite often not required to amend existing contracts.
- Hardcopy documents… or just electronic?
Processing of personal information is not only about electronic processing. Remember to include the processing of personal information from physical documents in the scope of readiness assessments.
- De-identify to the extent that it cannot be re-identified again… and the other exclusions
Take into account the circumstances when POPIA is not applicable.
- The carrot and the stick
Intentionally identify and pursue opportunities which POPIA opens for your organisation. Opportunity could knock in terms of new products and services, or by positioning the organisation as a responsible corporate citizen.
- And then… other:
Establish under which circumstances consent should be obtained. Identify quick wins. Chances are that the organisation has an asset register for the physical assets it holds; consider developing an information asset register (with fields such as who uses information for what, and the like). These factors will be explored further in future articles.