With the one-year grace period for ensuring compliance with the Protection of Personal Information Act No. 4 of 2013 (POPIA) coming to an end on the 1st July 2021, time is running out to become POPIA compliant.
The POPIA sets out regulations for companies (the responsible party) to lawfully process the personal information of both natural and juristic persons (data subjects), using a processor (operator) and requires companies to appoint an Information Officer to ensure the company remains compliant with the Act.
Steps to take immediately to become POPIA compliant:
- Appoint and register an Information Officer with the Information Regulator and define their responsibilities.
- Complete a current status risk assessment and information audit to establish your data protection compliance level.
- Amend contracts with operators and implement POPIA compliance policies.
- Ensure that security safeguards are in place to protect the information.
- Define the purpose of gathering and processing the information and delete all unauthorised information.
- Inform data subjects about the collection of their personal information, the reason therefor, and how their information will be processed.
- Report all data breaches to the Information Regulator and data subjects.
- Create an easy process for the receipt of data subject requests to access their information and action these requests.
- Establish whether you can lawfully transfer the information to other countries.
The risks of non-compliance can include reputational damage and paying out damages claims to data subjects. The maximum penalties are a R10 million fine or imprisonment for a period not exceeding ten years for more serious offences, or both a fine and such imprisonment.