Everyone has the right to privacy. And that right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information. Most of us have been on the receiving end of violations of personal privacy. It’s unpleasant and annoying to have your privacy invaded with something you didn’t opt in for in the first place. And it’s not terribly good for your organization’s brand either. But that’s only the tip of the iceberg. There are much larger considerations at play.
In South Africa, The Protection of Personal Information (POPI) Act, No. 4 of 2013 is designed to ensure protection of personal information by public and private bodies. POPI promotes transparency in relation to what information is collected, as well as how it is to be processed. As an organization, POPI places contractual obligations that you must adhere to. Many organisations remain uninformed or ill informed about the nature and detail of these contractual obligations, and thus about what is really at stake. They erroneously assume that a one-size-fits-all approach will be enough. It may not be.
So what does compliance demand and what are the risks of non-compliance?
POPI compliance involves capturing the minimum required data, ensuring accuracy, and removing data that is no longer required. Compliance is also about identifying personal information and taking reasonable measures to protect sensitive data. Non-compliance could put your organization at risk of an information security breach. POPI compliance is likely to reduce the risk of data breaches and the associated public relations and legal ramifications for your organization. It’s not something to delay any further.
There are 8 core information-processing principles that form the core of POPI, which need to be adhere to:
- Processing Limitation: Processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive, given the purpose for which it is processed
- Information Quality: The responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary, taking into account the purposes for which it was collected
- Accountability: The responsible party must ensure that the eight information processing principles are complied with
- Purpose Specification: Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. The responsible party must take steps to ensure that the data subject is aware of the purpose for which his/her personal information is being collected
- Further Processing Limitation: This is where personal information is received from a third party and passed on to the responsible party for further processing. In these circumstances, the further processing must be compatible with the purpose for which it was initially collected
- Openness: The responsible party that has notified the Information Protection Regulator may only process personal information. Further certain prescribed information must be provided to the data subject by the responsible party including what information is being collected, the name and address of the responsible party, the purpose for which the information is collected and whether or not the supply of the information by that data subject is voluntary or mandatory
- Security Safeguards: The responsible party must secure the integrity of personal information in its possession or under its control by taking prescribed measures to prevent loss of, damage to or unauthorized destruction of personal information and preventing unlawful access to or processing of personal information
- Data Subject Participation: A data subject has the right to request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject and request from a responsible party the record or a description of the personal information held, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information.
It’s not all about risk, but about good practice too.
At GRCBizassurance we encourage our clients to build the business case, and to realize the benefits of POPI compliance. POPI compliance measures are likely to improve the overall reliability of your organization’s data and databases. Don’t just aim to mitigate data risks and prevent data breaches. Rather aim to improve how you better manage sensitive data and ensure data privacy. Rolling out your POPI compliance programme makes business sense, and must be led by a Business Sponsor.
Taking a one-size-fits-all approach may not be sufficient. Our advice? Get informed, get compliant, get good practice measures place.
This blog was first published on http://www.grcbizassurance.com.
Need assistance with your POPI compliance? We can assist with the Design and Rollout of your POPI Compliance Programme. Visit http://www.grcbizassurance.com.