Once one is clear about what the Protection of Personal information Act (PoPIA) means, there is the “so what” question. What exactly does compliance mean? The good news is that there are some clear guidelines. The bad news is that it isn’t a tick-box exercise. Here are a few key points to keep in mind.
How do I comply?
This is a simple question for which we need a somewhat complicated answer. One has to distinguish between rules-based and principle-based regulation. Increasingly, regulation is principle-based which means that it is neither a one-size-fits-all nor a tick-the-box kind of approach. PoPIA is principle-base regulation.
Each organisation therefore has to decide how to approach and implement the regulation, which requires a subjective assessment of the risks with objective measures of the desired outcomes. What this means is that each organisation must assess their own privacy risk and implement mitigating controls that are proportionate to the risk. The Act furthermore requires that evidence be provided on why the policies and procedures of an organisation look the way that they do.
Getting to compliance is therefore a process of integrating PoPI compliant processes into the way that you conduct your business rather than just adding another company policy to your policy library.
How easy will getting PoPIA compliant be?
The complexity of your particular situation will dictate how easy it will be to get things in place to be deemed compliant.
Complexity is determined by:
- the size of your organisations (the more employees and the more clients, the more complex the situation)
- the number of locations (more than one location makes it more complex)
- your particular industry (some industries, like the medical field, require and process more personal information than. for example, agricultural industries)
What exactly is meant by compliance?
- that all personal information is processed lawfully, and
- the personal information of data subjects is protected at all times.
In particular, this entails:
- performing a privacy risk assessment;
- putting controls in place that are proportionate to the risk;
- self-monitoring the effectiveness of these controls;
- writing principle-based policies;
- creating a Portfolio of Evidence of the risk assessment, the control universe, all decisions taken during this risk management process and approval of those decisions; and
- providing evidence to the Regulator and stakeholders of the above.
In the case of a data breach, the Regulator must be informed and penalties will be handed down based on the above evidence. For example, if you have all of the above in place, yet your data base is hacked by a sophisticated syndicate, the Regulator could decide that no penalties are required if all of your data protection practices are judged effective and appropriate given your risk assessments.
DISCLAIMER: We are not legal experts. Our guidance is based on practical experience by assisting other organisations, like yours, to get compliant. We always recommend that you retain legal counsel to advise on the legal aspects of the Act.
Want to know more about the basics of the Protection of Personal Information Act (PoPIA)? Read out “What is PoPIA?” blog here.