Protection of Personal Information Act – A Beginners Guide Part 3
How do you go about becoming PoPI Act compliant?
There is no getting away from the fact, that no matter the size of your organisation, you will have to implement new processes or update your current ones, in order to be compliant with the Protection of Personal Information Act when it comes into effect.
In this regard here are a few steps you should consider following in order to become compliant.
10 Things can you do to become PoPI Act compliant?
- Read the PoPI Act and articles pertaining to the Act
The first and most important step is to read and understand the Protection of Personal Information Act. This is a long document but not overly complicated. Be sure to carefully read the Eight Conditions of the Act, as these are probably the most important parts of the Act as they deal with how information must be processed.
- Analyse your current information processes
Take the time to analyse your current processes and see how they measure up to the Eight Conditions. If they have some similarities, then good for you, your job will be that much easier. If they are worlds apart, then approach implementing new processes with a view to benefiting from the opportunity to steam-line and improve your information processes. Make sure you maintain security and access control and take all reasonable steps to ensure information integrity and risk mitigation.
- Identify and define all your purposes for collecting information
Per the PoPI Act, every act of information collection must have a defined purpose that needs to be communicated to those giving you information. Make sure you identify all the possible reasons for collecting information and what the minimum information collection needs are.
- Communicate the process and purpose of your data collection
- Consider the need for and impact of further processing information
Where further processing of information is required, you need to make sure it remains relevant to the original purpose of its collection. You will also need to make sure that you communicate this to your subjects.
- Ensure information quality control is implemented
Making sure the accuracy of the information collected not only has benefits to you as the user, but it also is a compliance requirement. So, make sure your information is up to date, accurate, and does not compromise the privacy of your subject or mislead in any way.
- Communicate compliance to the Information Regulator
At some point in the future, the Protection of Personal Information Act will come into effect and you will have 12 months in which to become compliant. Once compliance is achieved you will need to inform the Regulator.
- Be open to and helpful when data requests are made
Most likely you will receive requests for information from your subjects. So long as these subjects have properly identified themselves you should handle communications openly and fairly and with all speed possible. So long as you adhere to the PoPI Act and act in a transparent responsible manner you should only benefit from the Act.
- Make use of proper retention schedules
Down the line, the need for your subject’s personal information will wane and you will have no further use for it. Make sure you have and use reasonable retention schedules for subject data according to your purposes. Once information has reached the end of its retention period make sure you destroy or de-identify the information in a secure manner.
If you have not read Part 1 or Part 2 of this article then click these links: