01 July 2021 marks the end of the grace period and the operative provisions of the Protection of Personal Information Act 4 of 2013 (POPIA) have now come into effect. Companies must ensure that their business practices in respect to the manner that they collect, store or process personal information complies with the privacy laws as set out in the POPIA.
Below is a checklist that companies can use to ensure compliance with POPIA. Please note that this list is not exhaustive but serves only as a useful guideline to direct business towards the most common areas where businesses need to be POPIA compliant.
Checklist:
1. Appoint an Information Officer and, if applicable, a Deputy Information Officer (no deadline and can be appointed at any time but advisable to appoint as soon as possible).
2. Assess and conduct due diligence on the type of personal information that is processed in your organization.
3. Analyse how the personal information is processed, how long it is stored and why it is processed.
4. Create a culture of POPIA compliance and ensure that you create continuous awareness in the organization and train employees.
5. Re-align all contracts (with internal and external parties) and policies with POPIA.
6. Create/update PAIA manual.
7. Assess websites to re-align with POPIA and international privacy standards.
8. Update security systems to safeguard data and personal information.
9. Inform Data Subjects of personal information in your possession.
10. Create processes and procedures to be followed for access to personal information by Data Subjects.
11. Keep abreast of updates and Guidance notes: https://justice.gov.za/inforeg/about.html
12. Create a POPIA compliance framework.
What are the legal implications of non-compliance?
The enforcement of POPIA means an obligation exists for organizations to take stock of their legal duties and obligations as well as their constitutional responsibilities. POPIA makes provision for fines of up to R10 million and/or a jail sentence of up to 10 years. Another legal implications of non-compliance include paying compensation to data subjects for damages they have suffered. In addition, non-compliance may lead to reputational damage, loss of clients, customers and employees and failure to attract new clients and customers.
It is imperative that any natural or juristic person who processes personal information must become familiar with the Act and take the necessary steps to ensure compliance. The information set out in this legal insight is general in nature and should not be considered to be legal or any other professional advice. Where necessary seek legal advice to ensure that your organization is in full compliance with POPIA.
Noluthando Moledi, Director
