The Protection of Personal Information (POPI) Act will require organisations to be accountable in their personal information processing.
Organisations will have to ensure that they comply with the conditions of lawful processing of personal information and all measures that gives effect to such at the time of determination of the purpose and means of the processing and during the processing itself. To demonstrate accountability, organisations have to interpret the legal requirements and convert it to real, practical measures.
This means that an organisation remains responsible for the lawful processing of personal information throughout the organisation. Responsibility and accountability are two sides of the same coin and both are vital components of good governance in an organisation. Organisations must actively demonstrate compliance in their processing operations with the POPI Act by implementing appropriate and reasonable technical and organisational measures.
Organisations who want to live up to the Condition of Accountability will have to ensure that they have a comprehensive organisational structure in place. This requires a shift in culture within the organisation in order to obtain the buy-in from their stakeholders as well as their employees, and to foster a relationship of trust between themselves and their data subjects.
There is no ‘one size fits all’ approach that will work across the board. Organisations must embrace its role and take full responsibility for their personal information in a way that works for them. The measures they will implement, will depend on the nature of the organisation, the organisation size, its structure, the type and amount of personal information processed by the organisation, etc. The protection of personal information should therefore be a main consideration from the beginning of a design of a product/service to the end of that data lifecycle.
Practical measures for businesses
Businesses may consider the following practical measures for implementation:
- Develop internal ethical standards in the processing of personal information and safeguard the use of that personal information.
- Develop and review internal guidelines/policies for employees, ensuring compliance with legal obligations for processing personal information.
- Identify all employees involved in a processing activity and assign corresponding responsibilities.
- Ensure continuous, sufficient training and education for the organisation’s employees.
- Establish internal procedures PRIOR to new processing operations.
- Keep internal record of processing activities.
- Establish procedures to manage access to personal information, as well as to review, correct or delete personal information on request of a data subject.
- Establish an internal Complaints Handling Procedure within the organisation.
- Establish internal procedures for effective management and reporting of security compromises.
Every organisation has to live up to the Condition of Accountability and ensure that it places itself in the position where it demonstrates responsibility as working effectively in practice. When accountability is seen in a holistic light and measures are implemented proactively, data protection compliance becomes an advantage to the organisation which will provide that organisation with a competitive edge.