About

  • POPIA is designed to respond to a growing concern about inappropriate use of Personal Information and add responsibilities for organisations for their response to data breaches.
  • POPIA requires an effective response from any organisation that gathers Personal Information. Not only must you maintain strict security measures to prevent data breaches and misuse, but you must also be able to respond efficiently and comprehensively to the increasing number of data subject access requests (DSARs).
  • You need to make sure that you have procedures in place to address Data Subject Requests promptly because this is normally the first step a Data Subject will take before approaching the Information Regulator.

 

Templates Forms, Policies, Guidelines – POPIA Data Subject Requests

[product_category per_page=”12″ columns=”5″ orderby=”menu_order title” order=”ASC” category=”data-subject-requests”]

Frequently Asked Questions

The increasingly strict data privacy legislation requires an effective response from any organisation that gathers personal information. Not only must you maintain strict security measures to prevent data breaches and misuse, but you must also be able to respond efficiently and comprehensively to the increasing number of data subject access requests (DSARs). Experience show that this is the first step before a complainant complain to the Information Regulator.

Data subject requests are becoming increasingly common, so it is critical to ensure you can respond promptly. Your compliance project management team should take the following steps:

Appoint a responsible person. If your organisation processes the Personal Information in South Africa, you must designate an Information Officer. This person serves as a point of contact for Data Subjects and is responsible for overseeing organisation’s data protection strategies for POPIA compliance.

Develop data handling guidelines. Specify who can access which types of data, where each type of data should be stored and for how long, which documents have to be printed and where those printouts must be kept, which documents can have a digital version, how data must be purged once you no longer need it, and so on.

Identify the legal basis for processing of personal data. Once you know what regulated data you have, you need to determine and document the legal basis for processing it. This is not just an exercise to justify storing all the data you want; you must ensure you have a legitimate reason to keep the data. Note that simply having a Data Subject’s consent is not sufficient justification for storing and processing their Personal Information.

Automate data discovery and classification. You must know precisely what regulated information you have, and that information has to be easily discoverable and accessible. The best way to achieve this is through data discovery and classification. Having a clear understanding of what sensitive data you store is valuable for more than just compliance — it will also help you refine your data collection policies, optimize your storage, improve your data management processes, and drive better user productivity and decision-making.

Perform regular risk assessment. Risk assessment is a security best practice that will strengthen your defenses and help keep your business out of trouble. Performing the risk management will enable you to quickly adapt to the changing regulatory and cyber-threat landscapes and harden the security of your critical information.