POPIA is South Africa’s recently-promulgated data protection legislation, and organisations must ensure they comply with the regulations it imposes upon them.
John Giles and Mark Heyink, attorneys at Michalsons who assist clients in processing personal data lawfully, speak with Aki Anastasiou about data protection in the first episode of Microsoft’s POPIA Compliance Series.
Giles explains that POPIA applies to anybody who is processing personal data in South Africa – whether they are large or small, and whether they are a private or public organisation.
He also explains that POPIA covers both analogue and digital data, meaning that any South African organisation that stores personal data of any kind must ensure it is POPIA compliant by 1 July 2021, or risk major fines.
An interesting point raised in this discussion was the concept of compliance fatigue, which involves businesses feeling the weight of consistently being expected to implement compliance measures that seem to offer little direct value to the business.
This has been particularly relevant during the current global crisis, as businesses are looking to save money and may be tempted to weaken their compliance measures in a bid to cut costs.
However, Giles and Heyink explain that compliance will protect your organisation from large fines in the mid-to-long-term, and importantly, it is also an investment into your business partnerships, as many partners will simply refuse to do business with you if you can’t guarantee compliance with POPIA.
Giles and Heyink also highlighted that data protection laws like POPIA are not exclusive to South Africa and that we are actually lagging behind in implementing such laws.
They noted that POPIA is very similar to other global regulations regarding data protection – such as GDPR in Europe.
“There may be differences around compliance and there are going to be differences around penalties, but the fact of the matter is that the principles that underlie how we process information are pretty much the same,” said Heyink.
Preparing for POPIA
Giles said the first step organisations need to take in their compliance journey is to ensure the board is aware of why POPIA is necessary and how it will impact the organisation’s operations.
Your organisation then needs to ensure that it has the proper structures in place – such as deciding who will be in charge of ensuring compliance within the organisation’s systems.
Your organisation also needs to execute a gap analysis before taking action based on the results of this process.
While these technical steps are important, it is also critical that your organisation embraces data protection completely, as this will help you to streamline your compliance processes.
A great way to navigate this process is by using Microsoft’s Compliance Manager, which enables organisations to navigate these steps using a comprehensive and intuitive interface.
The next video in the Microsoft POPIA Compliance Series will delve into the Microsoft Compliance Manager and other important tools that enable POPIA compliance.
The first episode of the Microsoft POPIA Compliance Series is below. You can see the full Microsoft POPIA Compliance Series here.