The POPI Act Compliance Checklist Every South African Business Should Have
The existence of the POPI Act won’t be news to most South African businesses. We’ve been expecting the regulations to come into effect since the act was passed all the way back in 2013 – it’s just taken a few years to put the framework in place that will allow companies to prioritise the protection of personal information.
But businesses, both new and old, are still getting to grips with what POPI Act compliance means. What data needs to be protected, and what are the best ways to go about ensuring that you’re never in breach of the act or putting your clients’ (and your humans’) details at risk?
With this in mind, we’ve put together a POPI Act compliance checklist to make sure you’ve got all your bases covered, whether you’re just entering the market or are wanting to change the way your data is stored.
Not sure what the POPI Act is? You may want to start with our Protection of Personal Information Page, or learn more about a POPI compliance audit on our blog.
8 Steps to POPI Act Compliance Checklist
The process of protecting the personal information in your possession is a complicated one, but we’ve broken it down into 8 simple steps that are easy to follow. Each of these steps does involve a few checkpoints that you can tick off as you go.
Both new and old businesses are still getting to grips with the Protection Of Personal Information (POPI) Act, and how it affects their operations.
Want to download this POPI Act Checklist instead? Click here.
1. Set Up Your POPIA Project
Because protecting your business’ personal data is going to be a long process, the first step in this POPIA compliance checklist is going to involve setting yourself up for success.
- Identify who the stakeholders for the project are.
- Assign a project manager to the task.
- Put together a timeline and budget.
2. Assign An Information Officer
This could be a role that one of your existing humans – your CEO, for example – takes on, or you may want to look into creating a Data Management position, which you could hire an Information Officer (IO) or Deputy Information Officer (DIO) to fill. In either event, the POPI act requires that someone from your company be appointed as IO to ensure your personal data’s compliance.
- Determine the responsibilities that an IO will need to fulfil.
- Determine whether a DIO will need to be appointed.
- Decide whether you’ll be filling the roles internally or hiring externally.
- If you already have a Promotion of Access to Information Act (PAIA) officer, make sure that they’re aligned with your IO and DIO roles. If you don’t already have one, your IO will also become your PAIA officer, and this will need to reflect in their responsibilities.
- Formalise the appointment of your IO by registering them with the Information Regulator.
3. Understand Your Company’s Existing Data
- Create tags or labels for the personal information that you collect. This will make it easier for you to process and store the data correctly in future, as well as organising existing information.
- Determine what information you need from your clients and staff to operate effectively.
- Understand what unnecessary data you are storing.
4. Perform a Gap Analysis to Understand Where Improvements Can Be Made
Once you have a good idea of the data that you are storing and processing, the next step for your POPI compliance checklist is to analyse where improvements can be.
- Gain a deep understanding of what is required for POPI Act compliance in terms of consent, purpose, sharing and destruction.
- Set a timeline for becoming as POPIA compliant as possible – while being 100% compliant would be ideal, it may not be possible in the foreseeable future. What is important is that you are making efforts to protect the information in your possession and take personal data protection seriously.
- Create assessment criteria for meeting the timeline that you set out
- Ensure that stakeholders are involved and have a full understanding of what is required.
- Get explicit consent from clients and staff for storing their personal information.
- Ensure that your clients and staff understand their rights, what data is being stored by you, and what purpose it serves.
- Contact your vendors and suppliers to ensure that they are POPIA compliant, (and send them this POPI Act Compliance Checklist if they aren’t quite yet).
5. Review & Update Your Website
If you’re like most businesses, your website is a hub of activity. It’s where potential clients come to learn more about who you are and the services that you offer. And if you’re doing marketing the smart way, you are likely gathering some information about the visitors to your website. You may be recording the pages that they visit, trying to get an idea of their demographics so that you have a better understanding of your customer base and more. All of this information needs to be given consensually and stored correctly for POPI Act compliance.
- If you are tracking cookies, ensure that you have a notice to let visitors to your website know, and to give them the option to opt in or out.
- If you have forms on your website, add a disclaimer explaining how the information that visitors submit is stored and processed.
6. Put POPIA Policies in Place
POPIA compliance is not a once-off project that you can put in place and then simply forget about. Protecting your clients’ and your humans’ personal data will be a consistent endeavour, and one that will evolve and change over time. This is why it’s important to not just implement once-off solutions to tick off boxes on your POPI checklist, but to have policies that will keep the momentum going, and keep the aim behind the Act consistently top-of-mind. After all, this is all about your clients’ safety and security, and by prioritising the protection of their data, you are instilling further trust in your company.
- Consistently track, assess, and perfect your Personal Information lifecycle – how it’s obtained, processed, stored and, eventually, destroyed.
- Put processes in place to regularly measure and evaluate the success of your compliance efforts. These could include self-assessments, data health checks and IT audits.
7. Create Your PAIA Manual
While the POPI Act may be the main compliance measure on your mind, don’t forget about PAIA either. I mentioned earlier that you may already have a PAIA (or Promotion of Access to Information Act) Officer on your team. This is because PAIA has been in effect a little longer than POPI. But if this is a role that you still need to fill, the good news is that there is a lot of overlap between your Information Officer and your PAIA Officer, allowing for the two roles to potentially be fulfilled by one hire.
Where the POPI Act is all about protecting personal information, the PAI Act is all about the right to access information. And, as you can tell, the two concepts go hand-in-hand. PAIA compliance requires you to have a manual which details the kind of information that you hold, and how members of the public can request access to that information.
Since the deadline for PAIA compliance has already passed, most existing businesses will already have a PAIA manual in place, which simply needs to be updated with details of your Information Officer. But if you are starting a new business, the next step in your POPI Act compliance checklist is making sure that you’re PAIA compliant as well.
- Confirm whether your business is a Public or a Private entity under the PAIA regulations.
- Put measures in place to ensure that your company is able to provide access to relevant information when required.
- Make sure that your PAIA manual is laid out and includes the details required by the Act
8. Train Your Teams
The next step may be the last, but that doesn’t make it the least important part of the process. In fact training and adoption is one of the biggest indicators of success in projects like taking on POPI Act compliance.
- Ensure that your teams understand how your data is collected, stored, processed and deleted.
- Train your humans on the importance of personal data protection, and why you are putting POPI measures in place. This will go a long way towards them seeing the new measures you’re putting in place as more than just regulations, but steps that your business is taking to protect them, and to protect your clients.
- Train your stakeholders on the importance of data protection as well. While your teams may handle the information on a daily basis, it’s essential that you have buy-in on every level to ensure that the efforts you’re putting in place will be effective.
- Create ongoing education tools. This will ensure that your humans are constantly reminding themselves of the processes they should be following, and that new hires will learn the processes as part of joining your business.
Ready To Start Your POPI Act Compliance Journey?
POPI, PAIA, IO, DIO – we can understand if by this point your head is reeling with all the details that compliance entails! But there is light at the end of the tunnel, and at the front of it in fact! If you are a new business looking to kick off your POPI Act compliance, or an existing business wanting to ensure that your data storage solutions are meeting the requirements for the Act, Solid Systems is here to help.
Not only have we put together the downloadable POPI Act compliance checklist, but we also conduct compliance audits, our IT consultants can advise on best practices when it comes to cloud storage for personal information, and we offer a variety of cloud storage, cloud backup and recovery, and disaster recovery planning solutions to suit your business’ unique needs.
If you’re ready to start your POPI Act compliance journey, get in touch with us today, or book a consult, and we’ll be happy to spend some time talking you through your options and the journey ahead.