Update: Anna Collard, MD at KnowBe4 Africa, has stated that South Africa’s Protection of Personal Information Act (POPIA) was meant to come into effect from 1 April 2020.
This date has been pushed back due to the impact of the COVID-19 coronavirus pandemic, said Collard, and no new date has been set as yet.
Original article: The Act concerns the processing of personal information by companies and other agents, introducing a number of new laws which clamp down on user and employee data processing.
According to KnowBe4 Director of Data Privacy Lecio De Paula, the legislation will have an implementation period of around one year, and many organisations have already begun taking steps to comply.
“However, for as many organizations that are ahead of the curve, there are at least twice the amount that are underwater and struggling to comply,” De Paula said.
De Paula outlined a number of measures which businesses should focus on immediately to ensure their compliance.
Privacy impact assessment
The first step is to determine the changes you will need to make to comply with POPIA.
“This means you need to figure out where you stand in comparison to POPIA’s requirements by conducting a business privacy impact assessment,” De Paula said.
“This is where you’ll identify privacy risks in your organization and come up with a plan to either remediate or accept them.”
This assessment should comprise broad investigations into your organisation as well as inspections of specific processes and departments.
“Business privacy impact assessments are the lifeblood of a privacy program, and are essentially an audit you conduct against controls that your organization has in place to comply. These should be conducted on a periodic basis,” De Paula said.
Address the pressing issues
De Paula said that it is best to focus on the more pressing problems identified during the impact assessment.
“Depending on the type of organization you’re in, different processes may have different priorities.”
“If you’re a SaaS tech company, you may begin by first focusing on what you need to do to ensure your services are in compliance with the law. The key is to tailor your approach and tackle each issue with a risk-based approach,” De Paula said.
Companies should focus on high-risk processes – starting with customer data processes and working towards employee data privacy.
This will involve collaboration with many departments and will require the participation of executives, De Paula noted.
Once you have implemented changes to address high-risk issues and ensured compliance, you should create a system to monitor these measures.
“What’s difficult about privacy is that everything is constantly evolving, and it will always keep you on your toes,” De Paula said.
“Most organizations do not have a robust team of privacy professionals and it’s usually limited to a few individuals, if any at all.”
De Paula added that automated process can be useful in this context, along with the necessary infrastructure to monitor enterprise data flow.
“In more simplified terms, organizations should audit every location they store personal data on, see what controls are in place to protect this data, and document those controls or the controls that are being put in place.”
“There are various other obligations of course, but initially it’s all about understanding how, where and why your organization stores personal data,” De Paula said.