POPI Act Compliance
Protection of Personal Information Act
The Protection of Personal Information Act (POPIA) has been promulgated for a while now, only implemented in the middle of the year 2020 with a grace period for all Responsible Parties (including employers, franchisors/franchisees, data capturing companies, etc). This grace period lapses on the 1st of July 2021 whereby the Information Regulator will have the legal capacity to conduct audits on the various Responsible Parties to confirm compliance.
POPI Act Deadline
On 17 May 2021 the online portal for registering your Information and Deputy Information Officers went live. The Information Officer is the person at the head of your company (the CEO or the MD) or any other such person acting in such capacity.
Registration must be completed by the end of June 2021.
What Does Compliance Mean?
With a month left to become compliant, there are 8 conditions prescribed in the Protection of Personal Information Act to consider and to comply with:
- POPIA training with the CEO/MD and Managers;
- Companies to conduct compliance audits;
- Contraventions need be corrected and reasonable measures introduced to prevent the loss or unauthorised access to Personal Information;
- Policies to introduce Data Subject rights and consent in the business through policies and applicable clauses in agreements;
- PAIA manual introduction that incorporates data subject rights and the participation in terms of POPIA. This manual must be published on your website(s) and be open for public scrutiny;
- Staff POPIA training;
- Registration of the Information Officer;
Recurring follow-up assessments of measures and adherence.It is of extreme importance to consider the above in your business. Note that non-compliance is not measured through accreditation, but rather through an investigation launched by the Information Regulator following a complaint. Should such a lack of compliance following a complaint be shown, a fine of R10m could be levied as well as imprisonment. Data subjects whose rights are infringed upon could also institute civil proceedings against the Responsible Party (Company and/or Employer).
What We Offer
Initial evaluation (audit), training and POPIA bundle (online or at our offices, full day or 2 x half days)
Consideration of all 8 POPIA conditions, including:
- Identification of information (data subjects rights)
- Employee contracts and POPIA compliance
- Training of management and staff
- Registration of designated officer
Preparation and providing of a POPIA bundle, consisting of 12 documents/policies, including amongst others:
- Privacy notifications (online/website/apps/software)
- Personal protection policy
- Personal information retention policy
- Data security policy
- Data subject access request policy
- Data subject access request form
Costs:R8000 plus VAT
1 x monthly consultation session to confirm information received, breaches, processing, guidance, updating policies and records (if applicable)
Costs: R1800 plus VAT per month
(provided that initial evaluations as per point 1 above, have been done)
Any further assistance available, especially through the practicable and reasonable implementation of policies, training and compliance audits. Additional costs – based upon specific scope and requirements.