The President of South Africa has proclaimed that the Protection of Personal Information Act (POPI Act or POPIA) will commence on 1 July 2020. This means that companies will have until 30 June 2021 to ensure that they are compliant with the Act .
After a very long wait the point has now come for companies to take action and be ready by the deadline. Question is what action do you as a company now have to take to get compliant?
ironWILL assist you to take practical and effective action that is going to achieve the best results at the lowest cost.
Depending on where in the process your organisation is , ironWILL can surely help.
There are many possible ways companies can take to get to a point of compliance and it is important that companies choose the right path of action.
Our services are summarazied in the graphic on the right which depicts and encapsulates our project methodology for implementation from zero to full compliance and ongoing monitoring with the needed compliance reporting:
ironwILL will assist your company to comply with the requirements of the Act through its developed and unique assessment and implementation methodology.
This assessment is based on a risk identification and risk mitigation model that delivers the required building blocks and design principles to carefully plan the “what”, “when” and “how”, as well as the costs of the POPIA implementation plan. The assessment allows for various risk mitigation models that can be implemented in accordance with the client’s needs and risk priority actions on the road to compliance.
The final stage is based on a project management plan, to implement the risk mitigation and the compliance roadmap.
This component of the total project consist of the implementation of the strategy and plan derived from the assessment.
ironWILL follows a best practise methodology called I-PROP (ironWILL Privacy Risk Optimization Process , a process that enables the implementation of privacy into operational policies and procedures, which results in Privacy by Design for business practices.
Once your firm has completed and built its Popi compliance program, there should be ongoing monitoring to ensure compliance.
To ensure ongoing compliance, ironWILL suggest 7 action items that needs to be considered:
Train staff regularly – Training is key to ensuring that your firm’s staff understand the new regulations and their responsibilities in ensuring that your firm remains compliant with POPI. One of the most likely forms of personal data breach is a member of your staff inadvertently emailing data to the wrong recipient. This may sound benign, but your firm may need to notify the supervisory authority in this instance and could face substantial fines if you don’t. It is imperative that your staff understand how data processing could constitute risk to an individual. Staff must be equipped with the tools and knowledge to minimise the chances of a breach, and to respond to a breach if it occurs.
Keep documentation updated – Ensure that documentation is updated to reflect changes to data processing activities. For example, changes to payroll workflows or investor onboarding procedures should be updated within your firm’s records of processing activities, as should any required changes to privacy notices and policies. Review and update documentation regularly.
Manage risk actively – Actively manage risk registers with regular risk assessments. Review workflows, systems, and vendor relationships to identify risks in processing activities and to document mitigations/remediations. Perform data protection impact assessments for changes that could represent a high risk to individuals, for example, changes to your anti-money laundering/know your customer process, or even major changes to health benefits.
Manage vendors – Perform due diligence on data processors during the selection process and on an ongoing basis. Ensure that your vendor implements appropriate technical and organisational safeguards around data processing activities.
Operationalise your POPI program – Test the effectiveness of your firm’s processes, controls, and tools (i.e., their implementation program). Most firms that have taken steps toward compliance are still working on implementation or have recently completed implementation of their roadmap. Implementation is important, but the processes, controls, and tools still need to be operationalised.
Monitor and maintain your POPI program – Work with your firm’s compliance department or an external service provider to implement a compliance monitoring program. Use key performance indicators (KPIs) to periodically assess your compliance with POPI requirements. Define a process to address identified compliance gaps, including any required program updates that result from changes to existing data protection regulations or new guidance published by the Information Regulator.
Report to senior management – Regularly report on the status of compliance monitoring and any associated findings to senior management.
ironWILL provides consultation and project services with regards to all of the 7 point mentioned above.
Once your POPI program is implemented, it’s important to bear in mind that POPI compliance is not something that can ever be called “done.” For security and data privacy teams, keeping processes compliant will be “business as usual” for the foreseeable future. To help this effort, there are some simple reports you should run regularly to demonstrate your compliance efforts are keeping you where you want to be.
ironWILL also provides consultancy in this regard to assist companies with the needed reporting to prove ongoing compliance.