Demonstrating compliance with POPIA
Remember 2020/2021? Me neither. It was a whirlwind of masks, sanitizing, long queues, bans, new terminology and isolating. A new abnormal. What you may not remember, are the soft murmurings of a little South African Act called POPIA. POPIA stands for the Protection of Personal Information Act, and just as we comply with Covid 19 laws by masking up, we too must demonstrate compliance with POPIA within our businesses, by producing evidence of our efforts and monitoring our POPIA compliance processes.
Does this mean I have to educate myself on data protection laws, and get a degree in the ins and outs of data privacy and security? The short answer is thankfully, no! Nowadays, there are compliance management apps that facilitate your compliance journey and provide training tools to ensure every member of staff is aware of POPIA and the processes necessary to demonstrate and monitor compliance.
When will you need to demonstrate compliance?
- During an audit, usually triggered by the Information Regulator
- Producing your PAIA manual (The Promotion of Access to Information Act requires all public and private bodies in South Africa to have a manual. Essentially, the manual explains to people how they can get access to the records held by your organisation)
- Potential clients or investors might well be interested in your level of compliance with POPIA before doing business with you
- Responding to an incident involving personal information
- Responding to a data subject access
If you prefer to take the sitting duck approach when responding to these kinds of situations, you could cross that bridge when you get there. But if you are like most successful business owners who prefer to be prepared for anything, you need to be sure that your business is POPIA compliant. It’s a bit of a complex question but let’s try and break it down...
What does it mean to demonstrate compliance?
At the outset we must appreciate that POPIA provides for certain privacy rights of data subjects (individuals to whom personal information relates) when organisations collect and use their personal information. Don’t be misled into believing that personal information is limited to name and contact details. POPIA’s definition covers a wide range.
OK, so how must organisations uphold these rights? Well, Section 4 of POPIA provides for 8 conditions which specify how personal information must be processed. These 8 conditions form the core of POPIA and represent the minimal standards for the lawful processing of personal information. Let’s have a look at a few examples of these conditions.
Condition 2 – Processing Limitation
Made up of 4 subcategories which are aimed at regulating how personal information is collected, Condition 2 tells us that the processing of personal information must always be lawful and done in a reasonable manner to ensure that the privacy of a data subject is not infringed when personal information is being processed. In English, you ask?
Personal information must be processed in a lawful manner. If you’ve followed all POPIA protocol but failed to mention you hacked a system to get the data, you have not complied with Condition 2 (more specifically Section 9 – Lawful processing).
Personal information should also be adequate, relevant, and not excessive. You don’t need to ask for an ID number when selling some tyres (if you disagree, read up on Section 10 – Minimality).
Generally, personal information may only be collected with the consent of the data subject. Without that signature, the information may be processed based on a number of limited other justifications. Data subjects have the right to withdraw previous consent and to object to the processing of personal information in certain circumstances. They may also object to your organisation’s reliance on certain justification such as the data subjects' legitimate interest, public law duty, and your organisation’s legitimate interest.
This pretty much sums up Section 11 of POPIA – Consent, Justification and Objection.
Simple enough right? Let’s see if we can digest another one of these Conditions....
Condition 6 – Openness
The purpose of this condition is to ensure that processing does not happen in secret and without the data subject’s knowledge. In other words, data subjects cannot exercise their rights if they don’t know that their personal information is being collected and processed.
Sub condition 6.2 - Notification to data subject when collecting personal information.
Consider yourself as a data subject. Imagine you apply for a clothing account at Eco Thread, and the necessary credit checks need to be done in order to proceed with your application. Eco thread would invariably have to collect such personal information to assist in carrying out this task. Condition 6 of POPIA would require them to notify you, as the data subject, as to which personal information they are collecting, including having to inform you of:
- The name and address of Eco Thread
- The purpose for which the information is being collected
- Whether or not the supply of your information is voluntary or mandatory
- The consequences of failure to provide the information
- Any particular law authorising or requiring the collection of the information
Now let’s flip the tables, and you are the owner of Eco Thread. You would need certain measures in place such that your data subjects are always kept in the loop, the minute any personal information is collected from them. In this scenario, the data subject (the person applying for the account) would have to be notified at the time of applying. It would have to be stated on the application which personal information is being collected as well as all the requirements previously stated from sub condition 6.2 of the POPIA act.
These are just two conditions out of the 8 that form the heart of what it actually means to be POPIA compliant. Still scratching your head or wanting to take a deeper dive? These guys will assist you with an in-depth understanding and help you achieve that POPIA peace of mind. Now, you may be thinking...
How can you ensure that you can demonstrate compliance?
That’s a good question. One that should be followed up with a few more:
- Do you have the relevant policies?
- Do you have a privacy notice that is informed by your data mapping?
- Do you have the correct (if any) procedures for security breaches and subject access requests?
Let breathing easy be your new normal.