The much-anticipated Protection of Personal Information Act, 2013 (POPIA) will commence on 1 July 2020. However, this is not cause for panic because this is not the date from which you will be penalised if you do not comply. From 1 July 2020 you have 12 months to comply with POPIA. Therefore, if POPIA applies to you, now is the time to get your house in order as you will need to be compliant by 1 July 2021. What does this mean practically? What steps must be taken forthwith? We suggest following the seven steps set out below.
The first step is determining whether you need to comply with POPIA. This step involves determining whether POPIA applies to you because if it does not apply to you, you do not need to comply.
Once you have determined that POPIA applies to you, the second step entails having a meeting or conference call with all your stakeholders to gather information and understand the business areas in terms of the application of POPIA, for example, client data, human resources, record management etc.
The third step involves conducting an audit in respect of all your current systems and procedures. This audit is usually conducted by completing a questionnaire in respect of POPIA and preparing a list of items to be audited, such as, for example, job application forms, employment agreements, policies, terms and conditions, service-level agreements etc. This can be a time-consuming process but remember that you still have 12 months to comply with POPIA! This step is critical and should not be rushed. It is also advisable to seek professional assistance to ensure that a meticulous review of all documents is conducted.
Once you have identified and reviewed the documents that need to be POPIA compliant from the audit in step three, the fourth step involves amending these documents to make them compliant with POPIA. Professional assistance in this regard is also advised.
The fifth step is a risk assessment and involves assessing the need to develop and implement further policies, procedures and terms and conditions (that is, in addition to the existing current documents) for example, a privacy policy, consent policy and forms, data access policy, security breaches policy etc.
The sixth step is preparing for POPIA implementation by drafting a POPIA manual or guide in plain language and drafting of a model consent clause template.
The final step is preparing the Information Officer role. This step involves setting up a framework for managing internal POPIA compliance procedures, escalation channels, committees etc. The Information Officer should also be trained in his/her role and responsibilities in terms of POPIA.
As indicated above, the time to start preparing for POPIA is now. Our team at NVS is ready and willing to assist you with each of the above steps. Please do not hesitate to contact us, we will be glad to provide you with a quote in this regard.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)