POPIA compliance checklist
The Protection of Personal Information Act, 2013 (POPIA Act) aims to promote the protection of personal information processed by public and private bodies by, among others, introducing certain conditions for the lawful processing of personal information so as to establish minimum requirements for the processing of such information. This article provides a POPIA compliance checklist.
Please note that the following checklist is intended to provide a simplified example of a POPIA compliance journey only!
Stage 1: Initiation
-
Protection of Personal Information Act (POPIA) Assessment
- Complete a readiness assessment to identify the gap between current position (As Is scenario) and what you need to put in place
- Engage with stakeholders in the assessment
-
Information Officer
- Appoint an Information officer (IO) – typically the CEO assisted by a Deputy Information Officer(s) (DIO)
- Complete formal appointment process (up to Board level if necessary)
- Agree IO/DIO roles and responsibilities including management of the Promotion of Access to Information Act (PAIA)
- Ensure alignment between your PAIA and POPI Information Officer (IO)
-
Project Charter
- Use the assessment feedback to draw up a POPI compliance project charter as your guiding document
- Set interim and final compliance targets including timescale and budget in line with the POPI Act.
- Get approval for your project charter
- Identify project sponsor and project manager
- Identify relevant stakeholders and develop a stakeholder analysis e.g., RACI chart (responsibility assignment matrix | Responsible, Accountable, Consulted, Informed)
Stage 2: Planning
-
Identify what Personal Information is processed in your business
- Analyze what Personal Information is processed such as access control, CCTV, forms, biometrics, and other information collection methods and devices that may be at risk of a data breach
- Consider user rights and their management
- Identify what is required by the POPI Act such as: consent, purpose, source, sharing, destruction)
- Assign your Personal Information analysis down to the data owner level
-
POPI Act compliance policies
- Develop your data protection compliance policies within your overall policy structures, review existing relevant policies, check that policies such as data protection policies are clear, in easily understood wording, are reasonable and appropriate, and that they are enforceable
- Design your Privacy Notices for the various stakeholder groups and include stakeholder communications as part of your project
-
Review your website(s)
- Create a checklist of requirements such as: a Privacy Policy, Terms of Use, Cookie notifications and opt-in notices on forms.
- Develop and implement your remediation plan
-
Promotion of Access to Information Act (PAIA) manual
- Confirm your organisation needs a Promotion of Access to Information Act (PAIA) manual and by when (18 December 2020 Government Gazette No 44003)
- Create and update your PAIA manual, that it follows the prescribed layout and includes the necessary details, is published, and that you have an access request process
- Educate your stakeholders
Stage 3: Execution
-
Personal Information management processes
- Build ongoing compliance into your business and Personal Information management processes
- Manage the Personal Information lifecycle: information acquisition, processing, retention, and destruction practices
- Develop measures to ensure ongoing compliance such as self-assessments, health-checks, formal audits and a Compliance Dashboard
-
POPIA compliance Training
- Identify your stakeholder groups and their needs, create training according to their needs, and undertake training re stakeholder roles in POPI Act compliance
- Create ongoing user education using various training methods such as: self-study, online, classroom, audio, and video
- Stay updated regarding the Information Regulator at https://www.justice.gov.za/inforeg/index.html
Stage 4: Monitoring and Controlling
-
POPIA compliance operating standards
- Build compliance into your products, services, information systems and operating processes
- Adopt “Privacy by Design”
- Monitor the data protection ecosystem (legislation, regulations, opportunities and threats)
- Build POPI into your everyday way of working