Have we grown complacent?

Although the Protection of Personal Information Act (POPIA) was meant to come into effect on April 1, 2020, but the date was pushed out again, some organisations have implemented impressive POPIA compliance programmes. Others are struggling to get their implementation programmes going.

“Similar to other legislations that have come into effect recently, the law will have an implementation of about one year, and many organizations have already begun taking steps to comply with POPIA. However, for as many organizations that are ahead of the curve, there are at least twice the amount that are underwater and struggling to comply,” said Lecio De Paula, Director of Data Privacy at KnowBe4. 

Frustrated with the slow progress

“From my experience in the insurance industry, people have been waiting in anticipation for POPIA to come into force. There was plenty of hype and dare I say excitement about this piece of legislation; many a training session was attended and much focus and attention was given to this legislation, however people became frustrated with the slow progress; and in my view, may have grown complacent,” said Celeste Aitken at Norton Rose Fulbright South Africa. 

“Do we remember what we learned in those training sessions and presentations? Have we remembered what we have read up on, and most importantly, have our departments implemented what is required in terms of this legislation?” Questions Aitken. 

Continuous interaction and activity

“However, more is being done by the regulator then perhaps meets the eye. Even though this piece of legislation is not fully implemented, there has been progress and activity by the office of the Regulator. According to a press briefing by the Information Regulator, it has received and acknowledged complaints relating to the unlawful processing of personal information and access to information. The Regulator has further disclosed that a majority of the complaints relate to the banking, insurance and telecommunications industries,” continued Aitken. 

“The Members of the Regulator have also had continuous interaction with national and international stakeholders and have met with public and private stakeholders to discuss topic of mutual interest. The Members of the Regulator also provided training on POPIA to certain bodies and made submissions on the Cybercrimes and Cybersecurity Bill (2017) to the Portfolio Committee on Justice and Correctional Services on matters that affect the processing of personal information and related matters,” said Aitken. 

“The Regulator has also been keeping her finger on the pulse with regards to national and international data breaches and there are regular updates on the Regulator’s website warning the public of data breaches,” added Aitken.   

The obligations imposed by POPI

“It is unlikely that there shall be extra compliance requirements in 2020. The regulations which were published on 14 December 2018 added only a few extra compliance requirements, except for certain forms which may need to be completed under certain circumstances,” emphasised Aitken. 

“There is little practical guidance in both POPI and the Regulations on how to implement the principles set out in the Act, it is accordingly up to the responsible party to apply the obligations imposed by POPI to their business,” concluded Aitken. 

Priorities we should focus on right now 

Regardless of your organization’s position, De Paula said below are three priorities to focus on right now in order to comply with POPIA. 

1. By this point, you already know that POPIA is applicable to your organization, so now you need to figure out what exactly you need to do to comply. This means you need to figure out where you stand in comparison to POPIA’s requirements by conducting a business privacy impact assessment. This is where you’ll identify privacy risks in your organization (aka noncompliance) and come up with a plan to either remediate or accept them. The assessment should consist of a broad series of questions about your organization as a whole, and also have questions that are more granular to specific processes and departments. Business privacy impact assessments are the lifeblood of a privacy program, and are essentially an audit you conduct against controls that your organization has in place to comply. These should be conducted on a periodic basis.
   
   
2. Once the privacy impact assessment has been conducted, it’s time to focus on the more pressing issues you have chosen to remediate. Depending on the type of organization you’re in, different processes may have different priorities. If you’re a tech company, you may begin by first focusing on what you need to do to ensure your services are in compliance with the law (compliant data retention, privacy policies, consent mechanisms, etc.). The key is to tailor your approach and tackle each issue with a risk-based approach. High-risk processes should always come first. A good approach to take is to start with client/customer personal data processes and work your way towards employee personal data. This will involve collaboration with many departments, so executive buy-in is a must; and privacy compliance should be pitched as business enablement. Privacy is there to provide trust to your employees and customers.
   
   
3. Now that you’ve established policies, procedures or implemented other controls required for compliance, it's time to  create a system to effectively monitor the controls you put into place. What’s difficult about privacy is that everything is constantly evolving, and it will always keep you on your toes. Most organizations do not have a robust team of privacy professionals and it’s usually limited to a few individuals, if any at all. Automation becomes paramount to ensure you have a robust privacy program with limited resources. Leveraging a governance, risk and compliance (GRC) tool to help you conduct assessments, map controls and data flows will be extremely beneficial in the long run. If your organization does not have to budget for one, using a cloud drive folder (albeit a little more tedious) will still work in this regard. You can use this to set up your templates and upload your compliance documentation for ease of access. 

It’s all about protecting personal data

“In more simplified terms, organizations should audit every location they store personal data on, see what controls are in place to protect this data (technical controls, establishing the legal basis for processing, CIA triad), and document those controls or the controls that are being put in place,” said De Paula. 

“There are various other obligations of course, but initially it’s all about understanding how, where and why your organization stores personal data. Without answering these few questions, you will not be able to comply with other aspects of POPIA, because as the name suggests, it’s all about protecting personal data. And if you don’t know where it’s stored, how you process it and why you store it, it will be impossible to protect,” concluded De Paula. 

Writer’s Thoughts:
As an industry, we should view all the changes that will come into play as an opportunity to reimagine customer relationships and professionalize our industry. Why take the risk? Non-compliance may bear severe consequences. What has been challenging and what suggestions do you have? Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts editor@fanews.co.za.