With the introduction of the Protection of Personal Information Act 4 of 2013 (referred to as “POPIA” or “the POPI Act”) and the publication of the final Regulations in the Government Gazette no 42110 on the 14th of December 2018, numerous businesses asks the same question: “How do I become POPIA Certified or obtain a POPIA compliance certification?”.
Besides the requirements and objectives to achieve in accordance with the POPI Act, the Information Regulator has not yet set up a system allowing for a certification process.
This means that as yet, there is no such thing as being POPIA certified. But it will be of the utmost importance to make sure that the eight conditions for lawful processing are implemented on a reasonable, practicable manner, in order to limit your liability of infringements and reduce the risk of penalty fee’s or compliance orders, as well as potential lawsuits.
In a nutshell, in order to understand what these eight conditions entail, you must begin with the following:
Condition 1: You must be accountable in how you give effect to these eight conditions and be able to demonstrate your accountability;
Condition 2: You must be aware of the limits to the processing of personal information;
Condition 3: The information must be collected for a specific and lawful purpose;
Condition 4: Any further processing of information must be compatible with the purpose for which it was collected;
Condition 5: The information must be kept accurate and up to date;
Condition 6: You have to be open about how you process personal information;
Condition 7: You have to ensure that you keep your information safe;
Condition 8: The data subject has a right to access any personal information that you have about them.
If the business actively implements these basic conditions, you will at least have some form of compliance, on the grounds, that you as a business owner did have reasonable steps implemented. By having this on record, you will also be able to prove the steps you have implemented in the event of a third party querying your compliance.
The business should foster a culture of privacy and accountability in their business and ensure that the appropriate training is regularly done with their employees. Not only will training guide them through what POPIA is about and what it requires of them to protect the personal information that they have access to and process, but it will also establish privacy-awareness in their day to day business operations.
There are many good reasons to comply with POPIA. Not least of these is deserving of the trust placed in the business by its customers. A smart business will see this as an opportunity to build on a secure reputation in order to take advantage of it and to do privacy right.
Applying the suggestions above will go a long way toward achieving compliance with POPIA.
About the Author
Frank Maritz is a SEESA Consumer Protection Act and POPI Senior Legal Advisor at the Bloemfontein branch.