POPI compliance according to Master Data Management

The Protection of Personal Information Act (POPI  or POPIA) is South Africa’s data privacy legislation and if you haven’t heard of it yet, you need to get on top things now. “If you have just started, then here are five concrete steps to take in the next month,” says Gary Allemann, MD at Master Data Management.

With only a month until POPI takes effect, many businesses have waited until the last minute to implement their compliance procedures. There are, however, specific measures you can take to begin your journey. “The GDPR experience has taught us that having a clear plan and strategy for compliance is critical.”

Here, MDM outlines five tangible measures you can follow to get started on your quest.

Familiarise yourself with POPI

The Act is written in relatively simple language, and you should be able to grasp the essentials just by reading it. As you read, keep in mind that the Act’s goal is to safeguard the rights of your customers, employees, and suppliers, not to ruin your company.

In most circumstances, what the Act proposes is plain sense: ensuring that sensitive data isn’t misused and that it’s used for its intended purpose. Consumers are increasingly preferring to do business with organisations that value their rights and needs, therefore POPI compliance can be a competitive advantage.

Of course, if you are unsure about a particular point, you should consult your legal counsel. You might also wish to learn more about data privacy principles in general, such as by taking Data Privacy and Protection Fundamentals Course.

Register your Information Officer with the regulator

Your company must legally register your information officer with the regulator’s office under the Act. In most smaller businesses, the CEO or MD will be in charge, albeit the responsibility can be assigned. A deputy information officer can also be registered for larger organisations. Fortunately, the regulator has created a web page where you can register online. The website also gives you a rundown of your responsibilities. Visit https://www.justice.gov.za/inforeg/portal.html to register.

POPI compliance features on your website

The Global Data Protection Regulations of the European Union require websites to tell users about tracking cookies and provide them the option to opt-out or accept them. Most modern web development environments offer built-in compliance features. Request that your site developer activate GDPR compliance if you haven’t already done so.

Make sure you offer an unsubscribe function

If you utilise email newsletters or other forms of electronic communication, make sure you provide an opt-out option and that you take this seriously. Likewise, call centres should respect “do not call” orders. Ignoring a customer’s request not to market to them is already prohibited, but POPI adds certain new penalties. Receiving unwanted and irrelevant calls and emails also leaves a terrible taste in the mouth of many customers, especially if they have stated that they are not interested. Are you marketing to people who are interested in hearing from you?

Think about your breach processes

In the worst-case situation, your company might suffer a data breach, with an unauthorised person gaining access to and potentially disclosing critical customer, supplier, or employee data. You must notify impacted parties within a reasonable time if their data has been compromised, according to the Act. This is possibly the most visible component of the Act. So, who will you call at 3 a.m. if you, or a member of your technical staff, become aware of a potential breach of customer or other personal data? To ensure that you manage the problem and minimise the effects, you must first choose what your response will be.

POPI compliance is a journey

In order to ensure that personal data is both identified and that access is limited to users performing a legal purpose, POPI demands that you implement sound data management principles throughout the data lifecycle. “This can take a lot of time and work for everyone, and it may not be possible by the July 1st deadline, but you can make a start,” Allemann.