Ross G Saunders
CompliNEWS
It happened, POPIA finally got signed in, and we had a grace period. A few ‘early adopters’ had been working on their compliance for a few years already, mostly the banks and big enterprise, but also software companies and agencies that saw the value in compliance. When the act was signed in a year ago, loads of folks jumped on board to comply, and many of those have got to a level where they are satisfied. There are those, however, that took the view that the grace period would be extended or the regulator was not serious, and didn’t do much until now: 3 weeks before the full implementation.
With only around 50 (rough estimate) privacy consultants and law firms that are specialised in the space, there is a mad scramble for assistance in the murky water that is compliance to POPIA, with most (if not all) of us fully booked into July, August, and beyond. So, what do you do if you’re running late and looking to comply? I approached a number of colleagues in the privacy space asking for their top 3 to 5 tips of things that you need to focus on RIGHT. NOW. Unfortunately, there weren’t 3 to 5 items, there were many more, with most respondents opting for a top 10. I’ve taken out a few major items that you should be addressing straight off the bat, along with what your roadmap should be going forward.
Important Note on Fly-By-Nights
Given the urgency, I am seeing LOADS of places capitalising on the panic and disorder and offering POPIA compliance services in a hurry, or offering software that can solve the problem. Please ask yourself how long either have been doing this, as the privacy field is most certainly a specialisation. Do not get suckered into paying money for a questionnaire that simply tells you where you are, or into a pack of policies, or combination of the two. POPIA is much larger than just policies and risk assessments – it’s a fundamental change to your business. Please read the article I wrote in January around selecting a reputable service provider in this space.
Records of Processing Activities (ROPA)
This is my top component for your compliance – keeping a record of processing activities. A ROPA is a detailed list of all the activities that you perform in a business relating to the collection and dissemination of personal information. A great place to start with your ROPA is by following the guidelines released by the ICO (the UK’s Information Commissioner’s Office).
Your ROPA should include at a minimum:
• Your organisations details, as well as your Information Officer’s details
• The activities that you carry out on data – whether it’s internal or external
• The purposes of the processing activities
• What data is processed in each activity (or what category of data is processed)
• Any Special Personal Information that’s processed (race, religion, medical, trade union, political, biometric or criminal information)
• Details of any transfers to other countries
• How long you keep information for (this could be detailed in other retention policies too)
• A description of the security and safety mechanisms in place for the activities
• What your lawful basis of processing is (consent, contract, legitimate interest, legal requirement etc)
There are numerous templates available for this – the most detailed and easily accessible being those from the ICO and the French Regulator, the CNIL. There are also excellent software solutions that can manage this for POPIA, including the likes of PrivIQ, Bizoneo, and OneTrust. While you can do a very high level ROPA, detailing only the categories and purposes, moving into deeper detail helps you further down the line in cases of any breaches, investigations, and gap analyses on your activities.
Third-Party Agreements
If you transfer data to other companies, or use service providers to host information or services, you need to ensure that agreements are in place that cater for the different responsibilities. Compiling a list of all the service providers you use, detailing what agreements are in place and whether privacy is covered by the agreements is a great place to start. Everything that houses Personal Information of your employees, suppliers, or customers, from cloud providers like Microsoft365 or Google Workspace through to your local service providers, should be listed.
POPIA has the concepts of Responsible Parties (those making decisions on the data) and Operators (those that operate purely on instruction from Responsible Parties). Part of your ROPA should detail who is the RP, and who is the Operator, and from there you can identify whether there are agreements in place. If you are outsourcing any services like IT, auditing, BEE reporting and so forth, you need to have appropriate agreements in place. Most cloud service providers will have something called a ‘Data Processing Addendum’ that you can download and sign – this is particularly important for any service you use in the USA – as the USA is not seen to have adequate federal (national) data protection legislation. Please ask your service providers for any documentation they have in terms of POPIA, as well as what security safeguards they have in place. You would want to ensure that your Operators only operate under your written instruction and that they have adequate security safeguards in place. You may need to draft and sign addendums to existing contracts. Where you are sharing data with other Responsible Parties (where they take the data and do their own thing with it), you need to be clear about who has what responsibility in the relationship, and that everyone is complying to their obligations under POPIA. Be sure that you have the right lawful basis for sharing the information, and be sure that the recipient is going to do the same.
Publish a Privacy Policy/Notice
Your Privacy Policy is the public-facing policy that details what you do with data. It’s how you can be open and transparent with potential customers, current customers, and anyone else who you process data for. Much of what is identified for your Privacy Policy will come from your, wait for it, Record of Processing Activities.
While there is no official guideline, I would detail the following:
• What data are you processing?
• Why are you processing it?
• How are you processing it?
• Where is the data processed?
• Who else will have access to the data?
• What happens if there is a breach?
• Details of any tracking or cookies in use
• How does someone get in touch with you?
Registering your Information Officer
The law requires you to register your Information Officer with the regulator. I published a post on this a little while back, and the registration can be completed here.
Implementing Security Safeguards
One of the conditions of POPIA is Security Safeguards. This relates to what measures you have in place to secure information. You should document what you have in place to protect data in different areas and systems, remembering that security safeguards and data can be both in the physical world (paperwork) and in the virtual world (data in your CRM or on servers).
You want to consider items such as the following:
• Multi-factor Authentication (enable this on whatever you can)
• Access control (who has access to data that shouldn’t have it)
• Alarms for physical security
• Strong passwords
• IT Acceptable Usage Policies
• Restrictions on sharing data
• Restrictions on storing data
• Encryption
While this is a short description, this could arguably be one of the largest ongoing exercises in your compliance journey.
Getting Consent and Contract Right
This is a massive exercise on its own, needing you to take careful consideration (and documented evidence) of whether your contracts and consents are sufficient. Under POPIA, you have various legal bases on how you may process data. Two of the most relied on would be contract and consent. Contract speaks to information that MUST be processed in order for a contract to be performed. Think of your agreements as a service provider or your employment agreements. There are certain pieces of information that simply MUST be processed in order to fulfil your side of the contract. This applies to your clients, employees, and suppliers, and all should be reviewed to make sure that your usage of data is clearly defined. Consent is generally used when you do not have a contractual reason for processing data. This is perhaps for optional information that’s not an absolute requirement. This ties heavily into your marketing processes, mailing lists, and processing of any special personal information such as race, religion, or political party affiliation (there are more of these, referred to as Special Personal Information earlier in the post).
Important notes on consent:
As the Responsible Party, you have the burden of proof to PROVE that someone gave consent (consent cannot be implied). Consent can be revoked, and you have to have a mechanism for that. We are now in an ‘opt-in’ world. You can no longer add someone to a mailing list and give them the option to opt out. You now have to get their opt in first, and record proof of that, before you can continue contacting them in future.
Data Subject Requests
The people whose data you process have various rights around data. You need to be able to respond to requests for restriction of processing, correction of data, deletion of information and others. You need to have a process in place for these, as it’s not as simple as it would appear on the surface. For example, you cannot honour a deletion request when you are required by another law to keep that information. If someone requests you remove all their information that you’ve ever had, but you have invoiced them and require the information for SARS, you will not be able to delete all the information and will need to provide an explanation. These processes should be documented internally within your company policies, and also clearly stated in your public Privacy Policy/Notice or PAIA Manual.
Training and Awareness
Part of your duty under POPIA is to train your staff and foster general awareness in the company. There is no point to only having the information officer aware of the responsibilities, and then have a staff group that is unaware of how easily breaches happen. You need to ensure that campaigns are run, be they poster campaigns, speaking engagements, lunch-and-learns, ongoing courses etc.
Dedicated Time
Lastly and in closing, you need to dedicate time to this. A POPIA implementation takes time, and it takes change management. Compliance is not going to happen in 3 weeks, and I firmly believe you will never attain 100% compliance – as every time your business changes, so do your compliance needs and obligations. POPIA is an ongoing approach, much like servicing your car. There may always be niggles, but you can keep it running with regular upkeep.
Ross G Saunders Consulting offers a number of solutions that can drive your compliance and security maturity; from affordable 16 week group coaching programmes to comply on your own, through to advisory retainers and full programme management. To find out more about the offerings please visit Ross’ webpage. First release of this article was 17 June, 2021.