Step #1: Have you appointed an Information Officer?
Did you know the role of the Information Officer is now governed by the provisions of PAIA as well as PoPI? And that if you don't already have an Information Officer, then your CEO fills the role by default.
Since CEOs rarely have the time, it’s best to find a dedicated resource. Someone who fully understands the law and your data practices.
Appointing an in-house Information Officer means your company-sensitive information also remains in-house. And the incumbent will also be able to leverage existing working relationships to fulfil their role more efficiently.
You can also outsource this role to a service provider such as iOCO.
Your Information Officer is responsible for:
ensuring your organisation complies with the laws for processing personal information; and
working with the Regulator to facilitate any investigation conducted in accordance with the relevant provisions of PoPIA.
Step #2: Have you reviewed your PAIA Policy?
In terms of Section 17 of the Protection of Personal Information Act (PoPIA) all responsible parties must maintain the documentation of all processing operations to ensure transparency.
Step #3: Have you created a data inventory of all fields of personal data across all systems?
A data inventory will help you track the flow and storage sensitive data is stored.
Step #4: Have you determined the retention requirements which govern the personal information in your environment?
PoPIA requires the destruction of all records of personal and other information when they are no longer needed so you need a disposal programme that is strictly followed.
A key element of disposal is ensuring all duplicates are also destroyed, so process of identifying and removing duplicates should be adopted. This applies to both physical/paper-based records as well as electronically stored documents and data.
In addition, you need to review other regulations and acts that may prescribe specific retention requirements.
Step #5: Have you reviewed all third -party contracts and determined their operator compliance for the processing of personal information?
Operators processing personal information must be fully aware of their responsibilities. This includes only processing information with the knowledge and authorisation of the responsible party and treating all personal information which comes to their knowledge as confidential and not disclosing it unless required by law.
Processors must adhere to a relevant personal data processing agreement covering security and processing rules; this must be signed and stored.
Compliance should be agreed upon prior to the commencement of processing and/or capturing of personal information. This agreement should be backed up digitally and be available in the event of proof being required. All valid training completion and certification should also be attached.
A Proof of Compliance certification document is recommended per operator and is to be attached to the operator's records.
Step #6: Are all your processes properly documented
All processes must be documented and a responsible person must maintain the documentation of all processing operations under their responsibility.
This includes documenting system/information processes and information flows within the organisation The data flow tool in our app can be used to support this.
Step #7: Is all client documentation updated in line with the latest PoPI policies and standards?
All client contracts, project documentation and any other client-related documentation need to be updated according to the latest PoPI policies and standards to ensure the responsible handling of personal information, and minimise the risk of a fine or imprisonment.
Step #8: Are your IT security standards up to date with all PoPI policy changes?
The key security requirement in the PoPIA is captured in Condition 7 of the Act – Security Safeguards. It requires organisations to secure the integrity and confidentiality of personal information.
You need to ensure appropriate information security policies and technologies are implemented to prevent loss, damage or destruction.
Step #9: Do you have a breach response policy?
In the event of a breach of personal data, the data subject and the regulator must be informed of the event.
Create and implement an incident management process as it relates to personal information of a data subject. A standardised template/systems containing details of a breach, time, data subject details and operator details as well as any other relevant information is recommended. This process should include internal review of incidents and notification of the data subject and regulator.