Page 53 - Q&A
P. 53

Data intensive businesses and POPIA


            August 2020
            “My business processes and stores quite a large amount of information relating
            to our clients. We are well aware of POPIA that has now come into effect and
            have been putting basic processes in place. However, I remain concerned that
            we are not doing enough/underestimating our obligations. What should I be
            preparing for?”
            As you have correctly noted, the Protection of Personal Information Act 4 of   Commercial
            2013 (“POPIA”) has commenced with news of this reaching most businesses,
            including the fact that businesses have until 30 June 2021 to get their POPIA
            house in order or face the risk of being sanctioned for non-compliance.
            That said, whilst most businesses to some extent process personal information,
            there are businesses, like yours, that process data on a large scale. So, what
            does this mean for these data intensive businesses?

            The short answer is that the POPIA obligations on businesses are generally largely
            the same.  What differs however is the implementation of these obligations.
            The reality is that the more data you process, the more comprehensive your
            POPIA implementation plan will have to be and the more resources need to be
            allocated to achieving compliance before 30 June 2021. Given that penalties
            for  non-compliance  may  be  quite  severe,  businesses  that  process  large
            quantities of data, will need to use all the time available to ensure their POPIA
            compliance before the deadline, and then similarly allocate sufficient resources
            to reviewing and maintaining their compliance thereafter.
            To ensure compliance a number of actions need to be taken by a business.
            Such actions include, amongst others: that the business have a POPIA policy;
            appoint a person or persons responsible for administering the policy; and
            ensure that training is provided to all relevant employees on the policy and its
            implementation.

            For data intensive businesses this may require the formation of a task team with
            the mandate to formulate an appropriate POPIA policy for the business. Such
            task team would probably need to include legal, human resource, finance and
            information technology expertise.

            For a start, the task team would have to conduct an internal audit, to assess
            where the business stands in relation to the various POPIA pillars of compliance.
            Once the status quo has been ascertained, the team can identify which actions
            are needed to attain and maintain POPIA compliance by the business.
            Next the team would need to assess which policies, agreements and other
            documents will have to amended or developed and then implemented within
            the business and its operations. Such implementation will have to provide for
            training to staff on new practices, procedures and documentation.


                                                                        46
   48   49   50   51   52   53   54   55   56   57   58