The Information Regulator has approached the President to issue a commencement date of 1 April 2020 for the remaining provisions of the Protection of Personal Information Act (POPI).
“While businesses have 12 months to comply once all POPI provisions are in effect – the implications of non-compliance are so significant that developing a compliance mindset as soon as possible is imperative,” says Louella Tindale, data protection specialist at Caveat Legal.
Practically speaking, these are steps that businesses can start taking on the road to compliance:
- Identify what personal information you collect, from whom and where you store it.
- Perform a gap analysis to identify risks – do it yourself by referring to the eight principles contained in POPI or engage an expert.
- Review your communication tools – do you direct marketing or send out newsletters?
- Consider data subject rights, and how your organisation will give effect to the right to withdraw consent.
- Implement compliance training for your staff and consider approaches to training new joiners.
- Review your contracts – consider amendments to include POPI compliance clauses.
- Review your IT security and physical security.
- Have privacy notices drawn up and consider where links to such notices should be maintained.
- Put in place a security protocol for staff covering online and physical access.
- Consider appointing a Deputy Information Officer (under POPI read with the Promotion of Access to Information Act, the CEO or head of the organisation is automatically deemed to be the Information Officer).
“The duty to comply may not be limited to POPI, and international data protection laws may also apply,” Tindale cautions. “If you are processing the personal information of EU residents you may need to comply with the EU General Data Protection Regulations, and if intend receiving personal information of EU residents on behalf of a US company, it is likely that such US company will require you to comply with the terms of the EU-US Privacy Shield.”