info@nowhr.co.za
+27 010 5000 999 | 084 317 5407
Close

The Protection of Personal Information Act has been in the making for a number of years – but it’s now a reality! Here are a few pointers to help get you on track…

HomeBlogThe Protection of Personal Information Act has...
The Protection of Personal Information Act has been in the making for a number of years – but it’s now a reality! Here are a few pointers to help get you on track…
in Blog 0

By 1 July 2021 you need to be fully compliant with the Protection of Personal Information Act (“POPIA”). This has been on the cards for a number of years now – but it’s now finally becoming a reality.

The bottom line is that no matter what size or type of company you manage, you cannot ignore this. You need to take it seriously and start the process of at least implementing some basic steps.

Get prepared – there are so many dangers if you are found to be non-compliant, not to mention HEFTY penalties. Here are a few initial pointers to help get you out of the starting blocks:

  • You need to appoint an Information Officer. This person must:
    • Be on the senior management team. This can be delegated but it must be a person with an appropriate level of seniority;
    • Be responsible (and liable) for all the compliance activities;
    • Work with the regulator (you need to go through the process of registering this person). You can register the person via the online process or via a manual registration form.
  • Do a detailed assessment of the personal information you collect, how you collect it, how it’s stored and more importantly understand why you need this information. Some important considerations:
    • To collect and store etc., the information you need to make sure you do it lawfully;
    • Make sure you don’t infringe on an individual’s or an entity’s right to privacy;
    • You must be able to demonstrate the purpose for which you need and will use the collected data. Remember POPIA only allows you to collect data for a specific purpose, which has to be related to your business activities, and you can only keep the information for as long as it is legitimately permissible;
    • The bottom line is that you can’t collect and retain information without good cause.
  • Make sure that you have taken all reasonable technical and organisational measures to:
    • Prevent the loss of, damage to or unauthorised destruction of personal information;
    • Ensure all reasonable steps are taken to set up and maintain appropriate safeguards to minimise the risk of security breaches;
    • Report any actual or suspected security compromises as soon as is reasonably possible (to the Regulator and the entity/individual concerned);
    • These measures must also be implemented by any third-party operator that retains or processes personal information on your behalf.
  • Establish all means/mechanisms which could involve any form of direct marketing:
    • Simply sending an SMS, an email, automatic calling devices, or any other form of communication promoting a new product or service is deemed as “direct marketing”;
    • There are some very strict rules and limits that need to be adhered to regarding the recipient’s consent to be communicated to and also the options to “opt-out.
  • Procedures and education:
    • Procedures need to be implemented to manage for example data collection, data utilisation and data storage;
    • Education, education, education! All employees from the top to the bottom in an organisation needs to be trained on the ins and outs of the Act. Everyone must be familiar with the processes, procedures and reporting lines.

Related Posts

Nowicki & Associates © 2024. All rights reserved. Privacy PolicyTerms of Use . Promotion of Access to Information Manual