LEADING PAN-AFRICAN LAW FIRM, BOWMANS, SUGGESTS EIGHT STEPS FOR BUSINESS TO TAKE TOWARDS COMPLIANCE WITH POPIA AHEAD OF ENFORCEMENT
South African Parliament has shortlisted candidates for the Information Regulator and the provisions of the Protection of Personal Information Act, 2013 (POPIA), relating to the Information Regulator’s functions, are already in effect. Thus, the appointment of the Information Regulator seems imminent and the remaining provisions of POPIA should come into effect shortly thereafter. Even though there will be a one-year grace period within which to comply with POPIA once it comes into effect, organisations are strongly encouraged to start considering what the implications of POPIA will be on the way in which they process personal information.
Businesses that collect, hold, transfer and use individuals’ personal information will have to do so under certain conditions. POPIA will be particularly relevant for employers as they will have certain obligations as the “responsible party”. The consequences of non-compliance with POPIA are significant and include hefty fines as an alternative to imprisonment. A fine will be in addition to the reputational damage an organisation will suffer as a result of failing to comply with POPIA.
In light of these developments, organisations are encouraged to take the following eight steps towards compliance with some of the anticipated provisions of POPIA:
- Review standard terms and conditions of service where services involve the processing of personal data for a customer;
- Develop standard clauses around data protection to include in agreements with service providers, for example, obligations on third parties to protect and safeguard personal information as well as indemnities in the case of a data breach;
- Conduct an audit as to what personal information is held by the organisation, where this information is held and by whom this information is held;
- Establish what personal information is collected in one place and transferred to another and whether the countries to which the personal information is transferred have adequate data protection laws in place;
- Develop group-wide standard data protection policies and protocols if these are not already in place;
- Review direct marketing activities;
- Include appropriate consents to data processing in employment contracts and job application forms;
- Appoint an information officer and deputy information officers for POPIA purposes.