Page 53 - Q&A
P. 53
Data intensive businesses and POPIA
August 2020
“My business processes and stores quite a large amount of information relating
to our clients. We are well aware of POPIA that has now come into effect and
have been putting basic processes in place. However, I remain concerned that
we are not doing enough/underestimating our obligations. What should I be
preparing for?”
As you have correctly noted, the Protection of Personal Information Act 4 of Commercial
2013 (“POPIA”) has commenced with news of this reaching most businesses,
including the fact that businesses have until 30 June 2021 to get their POPIA
house in order or face the risk of being sanctioned for non-compliance.
That said, whilst most businesses to some extent process personal information,
there are businesses, like yours, that process data on a large scale. So, what
does this mean for these data intensive businesses?
The short answer is that the POPIA obligations on businesses are generally largely
the same. What differs however is the implementation of these obligations.
The reality is that the more data you process, the more comprehensive your
POPIA implementation plan will have to be and the more resources need to be
allocated to achieving compliance before 30 June 2021. Given that penalties
for non-compliance may be quite severe, businesses that process large
quantities of data, will need to use all the time available to ensure their POPIA
compliance before the deadline, and then similarly allocate sufficient resources
to reviewing and maintaining their compliance thereafter.
To ensure compliance a number of actions need to be taken by a business.
Such actions include, amongst others: that the business have a POPIA policy;
appoint a person or persons responsible for administering the policy; and
ensure that training is provided to all relevant employees on the policy and its
implementation.
For data intensive businesses this may require the formation of a task team with
the mandate to formulate an appropriate POPIA policy for the business. Such
task team would probably need to include legal, human resource, finance and
information technology expertise.
For a start, the task team would have to conduct an internal audit, to assess
where the business stands in relation to the various POPIA pillars of compliance.
Once the status quo has been ascertained, the team can identify which actions
are needed to attain and maintain POPIA compliance by the business.
Next the team would need to assess which policies, agreements and other
documents will have to amended or developed and then implemented within
the business and its operations. Such implementation will have to provide for
training to staff on new practices, procedures and documentation.
46