POPI compliance and becoming POPI compliant: FAQ

POPI compliance and becoming POPI compliant: FAQ

We often get questions about POPI that might seem obvious at first sight but do deserve an answer of course. Many of these questions concern POPI compliance, what is the deadline for POPI compliance and what happens when you’re not POPI compliant in due time.

What is POPI compliance?

POPI compliance means that an organisation adheres to the rules of POPI and is capable of meeting the data subject rights and organisational duties which are stipulated in it. When people speak about POPI compliance they often mean that personal data breach risk protection measures and all the other risks and rules to comply with are perfectly covered.

However, there is no perfect security or protection in the digital age where sometimes hackers even outsmart security companies, hacks are sometimes organised by criminal groups and there are even state-sponsored attacks. With data and technology being so important some countries use technology for cyber warfare.

Moreover, data can never be 200% perfectly protected and there are myriad other reasons why breaches and non-compliance could occur with people being the weakest link. Even if you take all possible precautions one of your workers could make a mistake and, for example, have his laptop stolen.

Therefore, organisations must be able to prove they did and continue to do (also after the date when POPI applies) everything they can to be as compliant as possible. This includes knowing where personal information sits in the organisation, making sure (and being able to prove) that consent is given under the legal conditions foreseen in POPI, being able to protect the obtained, processed, stored and – under specific conditions – shared personal infromation against breaches, abuse and misuse and being able to respond to the requests and rights of data subjects. If any of these abilities are not in place, the fines and penalties can be high.

When does POPI apply and what is the POPI deadline for compliance?

Certain sections of Protection of Personal Information Act (POPI) have already commenced (under proclamation No. R. 25, 2014), but it is only a few limited sections. The majority of POPI (especially the sections that create compliance requirements) will only commence on a later date to be proclaimed by the President. Nobody know for sure what will be the effective date for the rest.

According to the Information Regulator’s website the Time Table of Activities show that the anticipated date of publication of the final Regulations in Government Gazette is during the first week of April 2018. Thereafter POPI will became effective.

However, it doesn’t stop then. Being POPI compliant is an ongoing effort. Moreover, as we saw in the road towards POPI compliance and the reality in the field it’s certain that a lot of companies will not be POPI compliant. That’s why it matters to have a plan and build upon that plan from the risk perspective and with the ability to demonstrate you took – and still are taking – POPI compliance steps. But of course in case of a personal data breach or control it’s best to at least be as compliant as you possibly can by the end of 2018.

We must also remember that with regards to healthcare practices the National Health Act, 2004 id very clear. Section 17(1) stipulates that the person in charge of a health establishment in possession of a user’s health records must set up control measures to prevent unauthorized access to those records and to the storage facility in which, or system by which, records are kept. Not doing that is a criminal offence.

What if an organisation is not POPI compliant by the POPI compliance deadline?

Unfortunately, despite being officially published 5 years ahead of the coming deadline a large number of organisations is far from close to being compliant with POPI.

While it is certain that there will be cases of severe fines to set an example it is also certain that organisations need to continue – and in some cases even start – with efforts to get as compliant as possible and to continue doing so after POPI become effective. Ideally, this starts with a stage of POPI awareness in a broader plan. As fines and stipulations of POPI are related with the risks from the data subject perspective and a focus on particular categories and usages of personal information, among others in industries where many personal nformation are processes, it is important to start from the viewpoints of risks and have a clear plan of action with documented steps. A risk analysis is key, as is a strategy and staff awareness. POPI also starts from the risk and data subject perspective.

POPI compliance starts with POPI awareness

Some organisations prefer to insure themselves but even then working towards compliance is important as you don’t want to be that company that is known to its customers and the world as being totally not POPI compliant, let alone suffering from a breach with an additional clear lack of understanding of and focus on personal information protection, which is as much about leadership, culture, people, processes and respect as it is about security, information management and other technological ways to work towards compliance.

Leave a Reply

Your email address will not be published. Required fields are marked *