It has been a requirement to comply with the POPIA Act since 30 June 2021. What does that mean in practical terms?

The Act kicks in the moment you collect, store or process the personal information (PI) of either natural persons or juristic persons (e.g. an organisation), also known as data subjects. This also affects information obtained in the past – in other words, historic records.

Steps to take to comply

The one-two-three of becoming POPIA-compliant is: Assess, Act and Train.

Assess: Start by assessing what PI is collected, stored or processed: Where is info handled? Which of it is relevant PI? Which of such PI qualifies as an exception? Destroy any info that you don’t need, and secure the rest.

Act: Get historic consent for existing records; check that you are correctly processing all info; interrogate your own safeguards, e.g. IT and physical safety measures; put in place a system to notify data subjects in future that their info will be processed, and to get their consent beforehand; and create a system to protect PI once it has been obtained. This includes drafting internal policies and procedures, installing IT safeguards, introducing attack alerts, and carrying out regular attack testing scenarios.

Train: All staff should be trained to obtain the minimum of information from any data subjects they deal with. They shouldn’t ask for any info that is not needed, such as whether a data subject is married or how many children they have, unless that information bears directly on the relationship with the customer or client. An organisation should be able to give valid reasons for any item of information that they collect. Staff should also be educated on the rights of data subjects, so that they will not unknowingly breach such rights and compromise the organisation.

There are a number of other general aspects as well to consider in becoming and remaining POPIA-compliant:

  • Keep control over passwords and computer security. The regular renewal of passwords should be mandatory, and there should be rules about password strength.
  • Promote a clean desk policy – any documents lying around that contain PI on data subjects create a risk of unauthorised access to such information.
  • Maintain strict control over the security of physical files and of photographs of data subjects.
  • Be vigilant about PI used in the organisation’s social media channels.
  • Establish and enforce disciplinary measures in the event that a staff member should breach the organisation’s POPIA policy and rules.
  • Update all existing contracts of employment to reflect appropriate POPIA conduct, spelling out the consequences of POPIA transgressions.
  • Circulate regular company-wide cautions about phone calls and other communications from outside the organisation in which staff are asked to divulge any personal information, except for those relating to EE, BEE, WSP/ATR and SARS.

Takeaway

Any handling of data subjects’ PI requires stringent rules and procedures. Past as well as future records must be subject to systems that protect the relevant information, and all staff must be trained to keep the organisation compliant.

It has been a requirement to comply with the POPIA Act since 30 June 2021. What does that mean in practical terms?

The Act kicks in the moment you collect, store or process the personal information (PI) of either natural persons or juristic persons (e.g. an organisation), also known as data subjects. This also affects information obtained in the past – in other words, historic records.