03Mar
2014

POPI Compliance

20 NECESSARY STEPS TOWARDS POPI COMPLIANCE

1. The what : Read the Act.

2. Unpack and analyse : Summarise the parts of the Act which apply to your business.

3. Learn from others : Attend some POPI workshops and seminars to gain some insight into what has to be done in order to ensure that the Act is implemented within the business.

4. Establish a Task team : Decide which departments within the business will be responsible for the implementation of POPI and establish or set up a task team which should be made up of the Company’s Information Officer, established under PAIA (Promo of Info Act), a legal advisor, a number of representatives from the IT department, and a representative from each business unit or cluster  within the business, as well as a representative from Corporate Affairs.

5.Educate and workshop : Conduct some workshops within the Business and its various operations to create awareness about the Act and what “personal Information” and “privacy” means.

6. Inform : Provide the business with a succinct summary of the Act and what it needs to do in order to comply with the Act.

7. Find the Source : Locate all personal information which is held, used or stored within the business and classify this information using a classification sheet.

8. Gap analysis of records : Get an external auditor and IT function to audit the records and documents held in the business to determine – why they are held, how are they held, how are they used, are they secure, should they be deleted etc.

9. Gap analysis of business: Conduct a gap analysis on the provisions of  POPI and its requirements and impact on the business and operations: and arrive at action items to feed back to the Task team.

10. Retention and Archive Strategy : Develop a document retention ad archive policy and procedure, including document retention periods and methods of destruction.

11. IT Infrastructure and security issues : consult with the IT experts on how to develop a complete records management system, where personal records are correctly stored, are capable of being retrieved and updated or archived and which system is secure.

12. POPI Policies and Procedures : develop appropriate POPI Policies and Procedures for the company and the various businesses and operations.

13. Review existing  IT and information related procedures : to ensure that they are aligned with POPI.

14. Section 18 informed consent document : Develop a section 18 Informed Consent document for customers, suppliers and persons whom the company collects personal information from.

15. PAIA Manual: Revise the Company PAIA Manual, and insert reference to Processing of personal information procedures, which have been adopted by the company.

16. Appoint Information Officer: Appoint an Information Officer and or deputy officers, provide him or her with a list of duties which he or she is required to carry out under POPI, and when POPI becomes effective, notify the Regulator of the details of the Information officer and any Deputy Officers, where appointed.

17. Set up a complaints procedure : establish a complaints procedure which should be detailed under the Company’s PAIA Manual, which will allow easy and  effective remedy of any complaints which may be brought by a data subject/ client.

18. Emails : Revisit wording housed under email disclaimers. Reference to privacy and confidentiality should be scrutinised and analysed.

19. Direct marketing : scrutinise the company’s marketing and direct marketing practices to ensure that they are in line with POPI and make sure all communications provide for an opt out procedure.

20. Ensure that the company is able to comply with POPI when the Act comes into force.

For more information on POPI- contact alison.lee@mweb.co.za