Perusing POPI in SA
Among the insights received the effects that POPI would have on the industry, and how entities need to respond to ensure they become and remain compliant.
A key issue with POPI will be timing. The difficulty of compliance scales with size of an organisation, as well as with the volume, complexity, and distribution of the data containing personal information. From the date of commencement (1 July 2020), data holders and processors have a little time to ensure compliance. While this can be extended upon successful application to the to-be-appointed Regulator, this kind of compliance is comparatively new to SA entities and may prove to be a challenge for both implementation and a change in mindset.
The Internet industry, and Internet Service Providers, in particular, need to understand this. The application of POPI is a blanket requirement with an implementation reach wider than expected. For example, POPI deals with both the storage and processing of personal data. It would thus also include company-specific information relating to individuals. Any implementation plan would need to take this into consideration.
Adopting from a model that is similar to the one used in the United Kingdom’s Data Protection Act implementations, the best-practice approach for implementation is to appoint an individual in each department or division of an organisation to deal with POPI requirements. This approach has a double objective. It allows each department to function independently and self-regulate the POPI processes. Furthermore, it mitigates the need for all POPI interaction, as facilitated by the Legal department or similar entity.
Building on the appointment of individuals, the designated people dealing with POPI become, in effect, compliance officers. Their added tasks would be imparting knowledge and training, taking on the responsibilities of compliance, and ensuring they keep up to date with legislation and auditing requirements. Compliance officers can additionally choose to follow a career path based on keeping companies’ processes in line with POPI. The potential exists for the development of education, training, applications and direct job opportunities related to POPI compliance.
While this is a lengthy process, there are mechanisms to enable and promote its success. After examining the efficacy of models which brought about similar compliance across the European Union, the most effective model is allowing entities to volunteer for both compliance assistance and auditing to ensure correct adherence. Prior to this, however, entities should take the initiative. Develop both training and implementation procedures internally before the POPI act is official. This will put you at a significant advantage when it becomes a requirement. Finally, develop a strong POPI-focused rapport with both the Regulator and associated industry bodies. This helps establish communication channels that used to resolve potential POPI queries and issues.
Finally, some vital aspects pertaining to organisations’ codes of conduct need raising. Companies should bear these in mind. They will form the framework around which one adjusts conduct rules. Additionally, they will also need spreading into the company culture for all employees’ awareness and compliance. Of particular note are the security safeguards for personal data, issues with the information on children (as a vulnerable group), aspects dealing with prior authorisation of data use, and the matter of direct marketing to consumers. Addressing these concerns should become a priority for those altering their codes of conduct to promote POPI success.
Concluding thought: If your client is going to be surprised by what you do with their data, it’s a good indication that something is wrong on your side.