By Maeson Maherry, CEO, LAWtrust Information Security
Protection of Personal Information Act (POPIA)
The passing of the Protection of Personal Information Act (POPIA) aims to secure and protect consumers’ and companies’ personal information. In adhering to POPIA, businesses should consider several factors to avoid being in violation of the provisions of POPIA.
LAWtrust CEO, Maeson Maherry, says that in order to achieve the protection of consumers’ personal information, POPIA sets conditions for when it is lawful for someone to process someone else’s personal information. As such, becoming compliant will impose an increased governance duty on companies, which in turn will inspire trust in an organisation.
Essentially, POPIA is set-up to protect people from harm by protecting their personal information. With the proper cyber security measures put in place, consumers’ identity will not be stolen, which is important in protecting their privacy.
“Section 19 of POPIA has established a comprehensive set of cybersecurity and data protection duties for responsible organisations. At a primary level, organisations are required to secure integrity and confidentiality of personal information in their possession and under their control by taking all appropriate, reasonable, technical and organizational measures,” adds Maherry.
Top five things to consider in your POPIA compliance:
- Train personnel: Privacy awareness amongst your team is an ongoing effort. Training is meant to communicate the organisation’s privacy policies and processes, such as data collection and retention, breach or incident reporting. With regular, bite-sized and engaging training, you can ensure that end-users are reminded of their responsibilities on an ongoing basis, as well as receiving advice on how to put security into practice in their day-to-day work lives.
- Appoint an Information Officer: The Information Officer is entrusted with great responsibility and a duty to ensure that the organisation complies with both POPIA and PAIA. Depending on the size, scope, and function of your organisation, appoint either a dedicated POPIA compliance officer or a full team.
- Assign responsibilities: Each business unit or department can start with personal information audits to map what personal information is processed by the business. Determine who is responsible for the collection, processing, storing, managing or destruction of personal information.
- Analyse what and how Personal Information is processed: Use a broad definition of record types as per POPIA (e.g. CCTV, biometric). Look at various aspects as required by POPIA (including consent, purpose, source, sharing, destruction). Also consider user rights and their management, as well as thinking broadly in terms of the types of devices where data is stored – and represents a security compromise risk.
“Organisations should have practical compliance measures and employ understandable language in their privacy notices. This will help to ensure compliance, avoid penalties, reputational damage and putting their clients at risk,” concludes Maherry.
*Check out the latest edition of the Public Sector Leaders publication here.
For enquiries, regarding being profiled or showcased in the next edition of the Public Sector Leaders publication, please contact National Project Manager, Emlyn Dunn:
Telephone: 086 000 9590 | Mobile: 072 126 3962 | e-Mail: [email protected]