POPIA is the South African personal information privacy law, the Protection of Personal Information Act. All organisations collecting, holding and processing personal information have to comply with this law in a proportionate and demonstrable manner by the 1st July 2021.
Through its processing conditions, the Act regulates and protects personal information through its entire lifecycle of collection, transfer, storing, and deletion.
An example would be, at collection, is the person correctly informed of what the information is going to be used for, is a lawful basis applied correctly, is excess information being collected?
One of the conditions or principles is accountability – this covers the entire lifecycle of the personal information flow in an organisation. It means that the CEO or the head of an organisation is accountable for enabling the organisation’s entire privacy framework.
Why do these principles matter? Because they are the soul of the Act, everything about the regulation is built around them.
The 3 parties in POPIA:
In order to place the principles in their context we need to describe the roles of organisations and people in POPIA.
The data subject is a juristic or natural person to whom the information belongs. This is the person whose information must be protected and only used for the lawful basis they have accepted.
The responsible party is a public or private body or any person who requires personal information to be processed in order to meet the purposes of the permitted transaction.
The operator is a party who processes personal information for a responsible party.
The eight principles or conditions are as follows:
- Principle 1 – ACCOUNTABILITY
The head of the company is ultimately responsible for complying.
- Principle 2 – PROCESSING LIMITATION
Usage must be lawful, with the minimal amount of information necessary.
- Principle 3 – PURPOSE SPECIFICATION
Collected, used and retained for a specific purpose, related to your organisation’s activity
- Principle 4 – FURTHER PROCESSING LIMITATION
Further processing must be compatible with the original purpose for collection.
- Principle 5 – INFORMATION QUALITY
Ensure that the personal information is up-to-date, complete and accurate.
Principle 6 – OPENNESS
Information you need to tell the person when you collect their personal information.
- Principle 7 – SECURITY SAFEGUARDS
Measures to prevent loss of or unauthorised access to personal information.
Principle 8 – DATA SUBJECT PARTICIPATION
The information does, after all, belong to someone else –they must be able to access it.
What must one do to meet the 8 principles or conditions?
This is the big question that is constantly asked, and really it is about creating and managing a privacy compliance program in an organisation.
This program comprises organisational and technological measures that must be put into place in order to ensure the initial and ongoing compliance with the POPIA regulation.
The areas covered by an ongoing privacy program are:
- The role and appointment of the information officer.
- Operational compliance in the areas of:
- Consent management
- Electronic Marketing
- Human Resources
- Information Technology and Security
- Mapping the flow of personal and sensitive data.
- Employee Awareness
- Data subject Access Requests
- Breach logging and management
All these areas above require effort by an organisation to manage and control on an ongoing basis. They all serve to meet the requirements of the original POPIA principles.
The Data Governance and Privacy Platform (privIQ) is a comprehensive tool for demonstrating compliance, mapping personal and sensitive personal information, governance and communication to all stakeholders, managing data protection, impact assessments and subject access requests, and reporting data breaches.
This collaborative cloud-based service will save you time and money by giving you the tools to document your efforts, educate your staff and manage the new processes required by the regulations.