Businesses urged to use grace period for POPI compliance wisely

Protection of Personal Information Act came into effect yesterday, with one-year grace period

With the Protection of Personal Information (POPI) Act officially coming into effect yesterday(1 July), South African businesses have been granted a one year grace period to make the necessary changes to their organisations before the penalties outlined in the regulation will apply. While it may seem like a long time, non-compliant business will only be able to meet this deadline if they start updating their internal systems immediately.

This is according to Terence Govender, Director of Mazars IT Advisory, who points to a 2019 survey which showed that only an estimated 34% of businesses are currently ready to meet the POPI requirements. “One of the challenges at the moment, is that many businesses do not have a clear road map of how to become compliant within the next year. This also means that it is difficult to implement a compliance strategy that is cost-effective.”

Govender says that depending on the size of one’s organisations, it is possible to become POPI compliant on a reasonable budget. “While there are certain aspects of becoming compliant that may be best to do with the help of an outside service provider, it is possible to make all of the necessary changes oneself. Of course, this requires that one knows where to start, and depends on how big or complex the organisation is.”

He adds that it is vital to take a holistic view of one’s entire organisation. “Many companies are primarily focused on policies and procedures, but it is just as important to focus on the possibility that you may have to amend systems. A lot of the time, companies’ systems generate documentation containing personal information. It is crucial to revisit these systems to see whether one really needs the personal information captured by these systems, and whether it is being disclosed to one’s customers that this information is being stored.”

Govender explains that within next three months, it will be vital for businesses to conduct some form of readiness assessment. “This is where a company can get the most value from engaging with a capable service that can provide an informed evaluation of all the relevant processes within a business. For our own clients, we have crafted a questionnaire to get them started and which can provide the basis for further action.”

From there, the biggest part of the process starts. “Between month three and month ten is when the hard work needs to be done. Companies should be then be looking at their processes, and implementing and amending any issues. This applies to internal processes, document storage, policies and every other aspect of the organisation that deals with personal information.”

The final two months of the grace period should be used for verification. “This is when you have to test all your company’s compliance against the Act again. If there are any gaps or errors, two months will likely be just enough time to detect and rectify them before the deadline. Following these steps should get businesses ready for POPI, but only if they start immediately,” Govender concludes.