The Protection of Personal Information Act has far ranging implications for all organisations. There are many different requirements and most will be new. Because the threats and vulnerabilities will be discovered daily, organisations need to actively manage and continuously improve their capability to mitigate the evolving risks. There is no such thing as 100% "POPI compliance" and consequently focusing on POPI compliance is nonsensical. Organisations will need to work regularly and systematically to address the risk of non-compliance so that they can demonstrate to the Information Regulator that the steps that have been taken where reasonable to foresee the harm.
Often different levels of understanding and work experience result in tasks being performed with varying levels of consistency. Documentation required by the responsible parties to demonstrate their efforts to comply with the conditions for the lawful processing of personal information may not have the required quality as there my be no concrete requirements on how to prepare the documents.
Documents may not have the required consistency as they are drafted by different individuals at various times and places. It could also happen that tasks are not performed in the correct sequence, particularly when it is necessary to comply with generally accepted standards. Supporting documentation may be difficult to find when needed months and years later. It may happen that certain important tasks are forgotten or not performed when necessary because these tasks are not perceived to be important or directly related to the protection of personal information.
There are three basic steps that everyone needs to follow.
First: every instance of personal information in your possession or under your control, must be identified, as you may be asked about this by a data subject or the regulator. You need to know where it is, how it is controlled and who has accessed this information. If asked, you need to be ready to respond. In short, don't get caught holding personal information you know nothing about.
Second: as much as you would prepare to comply with the conditions for the lawful processing of personal information, you also need to be ready to respond to issues of non-compliance. After all, this is what data subjects are going to complain about. Since the burden of proof is entirely on the responsible party, regardless of whether it is his/her fault, you have to able to demonstrate all the steps that were actually taken in your attempt to comply with the conditions.
Third: your information security management needs to be of a standard sufficiently high for the identified risks and compliant with the generally accepted standards for information security - ISO 27001.
The ITGN's POPI Implementation tool will guide your organisation through each step to ensure that your approach to the protection of personal information is sound and proportionate to your needs. It is based on extensive experience (20+ years) working with the protection of personal information internationally. It can be used to manage current issues as well as co-ordinate future actions.
The ITGN POPI Implementation tool covers all phases of the POPI preparation and readiness life-cycle. It takes you through each requirement, provides guidance and helps you plan, organise, direct and control your POPI-related activities. This tool supports continuous improvement. It tracks what has been completed against what was planned and keeps a record of progress of the POPI programme, each initiative, area of responsibility and the individual issues.
With many different issues requiring attention, just about everyone in the organisation will be involved at some point. The POPI implementation tool enables the numerous issues to be planned, prioritised and tracked over time. Not all issues will require immediate attention. Some can be scheduled for later. What is necessary is a schedule of the work planned, assigned, underway and completed, together with a list of the POPI related issues requiring more urgent attention.
The ITGN's POPI Implementation tool is a web-based, multi-user solution that allows each individual to be made aware of their specific responsibilities and to provide feedback on their personal progress with the issues they have been assigned. It is also a central repository for reporting on all issues and collecting supporting documentation.