Quick check on how much you really know about POPIA
With the 30 June 2021 deadline fast approaching, businesses that haven’t embarked on their journey to compliance with the POPI Act yet will have to brace themselves for a tumultuous ascent in 2021. The mountain of compliance is steeper than the sight of it, and the climb more onerous than initially anticipated. Simply put, it demands a lot more than peripheral changes to existing documentation and disclaimers.
Protecting privileged customer or client information ultimately requires closer scrutiny of the systems, processes and data security measures used to process personal information, over and above alignment and/or adaptation of existing policies, procedures and documentation. For starters, businesses will need to measure their POPIA readiness, assess their current compliance status, and empower their designated Information Officer/s with sufficient knowledge and insights to champion cross-organisational implementation, before the end of the 30 June 2021 deadline. Furthermore, Information Officers will need to be registered by 31 March 2021, which leaves those responsible for compliance in their businesses with even less time to unravel the web. We developed our POPIA Solutions with these constraints in mind.
To get you out of the blocks, we compiled a short checklist that you can use to gauge your POPIA readiness. If your answer to any of the questions is ‘NO’, you should strongly consider one of our affordable, fully customisable Toolkits, which are available for download immediately upon purchase. If you require a tad more assistance, we highly recommend our most popular option, the CelaPOPI Advanced Toolkit. If you need direct assistance from our legal and compliance advisors, we recommend our Complete POPIA Compliance Solution.
- Have we appointed an Information Officer? (Accountability)
- Do we have a policy for dealing with Personal Information protection issues? (Accountability)
- Can we prove we have trained our staff in their duties and responsibilities under the Act, and are they putting them into practice? (Accountability)
- Can we show the Personal Information gathered is not excessive? (Minimality)
- Do we know what we are going to use the Personal Information for? (Specific purpose)
- Can we prove that the people whose Personal Information we hold know that we’ve got it, and are they likely to understand what it will be used for? (Consent)
- For staff contact details on our website, have we consent for this? (Consent)
- Do we have a POPI-compliant privacy notice on our web site (Consent)
- If we want to monitor staff, for example by checking their use of email, have we told them about this, explained why and got their consent? (Consent)
- Can we prove we are respecting the rules about Special Personal Information? (Special Personal Information)
- Can we prove the Personal Information is accurate and up to date? (Information Quality)
- Would my staff know what to do if one of my employees or other individuals asks for a copy of Personal Information, we hold about them? (Openness)
- Can we prove the Personal Information is being held securely, whether it’s on paper or on computer or any other format? (Security safeguards)
- Do we have an up to date PAIA manual on our website? Openness)
- Can we prove access to Personal Information is limited only to those with a strict need to know? (Security safeguards)
- If we are asked to pass on Personal Information, are my staff clear when the POPI Act allows them to do so? (Further processing)
- Do we delete/destroy Personal Information as soon as we have no more need for it? (Effective destruction & Retention Periods)
- Do we have a process to handle Data Subject requests? (Information Officer)
- Can we prove we are complying with the rules about Electronic Direct Marketing?
- Can we prove we are complying with the rules about Cross-border flows?