What’s next once the Protection of Personal Information Act (PoPIA) has been implemented? How will it affect us?
How will PoPIA change the day-to-day operations in my business?
PoPIA is not about ticking a box or showing a policy on your website. It is rather about the entire process of changing how personal information is viewed, at every level of the organisation. This requires a change in processes, perception and culture, and is highly dependent on the training and change management that is applied to bring this change about. Ultimately it is about integrating the entire ethos of privacy protection into processes, with privacy seen not as a grudge implementation but rather as a tool that would assist the business.
Who in my team do I need to involve in this?
Anyone who is dealing with personal information in your organisation, keeping in mind that this includes not only client information, but also supplier and staff personal information. At the very minimum, these staff members need to be trained in terms of how PoPIA affects their specific positions and how they should be carrying out their data related tasks. These members should ideally also be involved in the risk assessments and their input solicited for appropriate policies and process adjustments.
How will PoPIA affect me as a consumer?
Your rights as a consumer will be far more evident wherever your personal information is requested. Expect to be more pertinently asked whether your information may be used for a specific purpose, and be kept on record for a specific period of time. Also expect to be contacted should a data breach take place, informing you of the repercussions.
In general, you will experience a more thoughtful approach to personal information, with full disclosure, putting the control over personal information squarely back in the consumer’s hands. In practice this means anything from double-opt-in requests, to full-disclosure privacy statements in all documentation. Even security guards requesting name and contact details, would have to explain why they need the information and what they intend to do with it.
All organisations must have a transparent process regarding the following:
- as the owner of your personal information you can request a detailed report reflecting the personal information in the organisation’s possession and even where the information is stored.
- you must be provided with a clear process on how to keep your personal information up to date; and
- finally, you must be provided with a clear process on how to complain should you feel your information is being misused or abused by any organisation.
This does, however, also require more vigilance on the side of the consumer to ensure that the fine print is read and the tick boxes are fully understood before giving consent.
What is the first thing that I should be doing now?
Include a PoPIA compliance project in your annual business strategy, making sure you schedule it in your priority list and allocate sufficient resources to it. Do not underestimate PoPIA compliance.
DISCLAIMER: We are not legal experts. Our guidance is based on practical experience by assisting other organisations, like yours, to get compliant. We always recommend that you retain legal counsel to advise on the legal aspects of the Act.
Want to know more? #PrepForPoPIA