POPI will be fully implemented on the 1st July 2021. Express Employment Professionals delves into POPI, what it is, and compliance checklists.
In less than one month, The Protection of Personal Information (POPI) Act will be implemented. And should you never have heard of this, or actually taken the time to become informed of all that is POPI, continue reading.
What is POPI?
According to mastershred.com, “The purpose of the Act is to protect personal information, to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed. The basis of the POPI Act is that organisations need to conduct themselves responsibly – responsible corporate citizenship. Organisations should not only be responsible, but should be seen to be responsible corporate citizens. Part of this responsibility is to protect the information inside the organisation, and to be responsible when it comes to the process of storing and sharing personal information. Personal information is to be seen as precious goods and that the Act requires organisations to exercise control over these precious goods.”
So what does this mean for you, us, businesses, clients and staff?
Hiring staff and employees in any business or industry involves personal information on all fronts. So, with regards to POPI, what personal information does this entail? Birth dates, identity numbers, contact details, criminal records, photos, health information, demographic information, physical addresses, employment history, salary details, education information and other private details of an individual. POPI relates to companies with all organisations considered to be data subjects.
For you and your business, POPI affords you the same right of protection. “The Act applies to anyone who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently. It therefore sets the minimum standards for the protection of personal information. It regulates the “processing” of personal information. “Processing” includes collecting, receiving, recording, organising, retrieving, or using such information; or disseminating, distributing or making such personal information available. The Act will also relate to records which you already have in your possession.”
Compliance Checklist And Preparations
First off, to be compliant, companies will have less than one month to comply with the conditions of the Act, starting from 1 July 2021. They will then need to obtain processes and systems to keep personal information safe, and protected when in storage or being shared or transferred from applicable parties.
- Do you have a Disaster Recovery Plan in place?
- Is your IT governance and security up to par and used in meetings?
- Do you have a clear and concise plan for when cyber breaches occur?
- Have you done a cost analysis to determine which critical elements need to be protected during a cyber breach?
- Have you assessed warm, hot and cold sites to use?
After you are able to answer yes to the above questions, then you need to continue to tick all the boxes on the compliance checklist. When the Act is in full force, you will need to do the following – and other items not listed below but found on the POPI website:
- All personal information must be directly collected from the “data subject”
- Only collect personal information for a specific, explicitly defined and lawful purpose
- All personal information no longer needed must be disposed of and personal records destroyed in a way that prevents these reports from being reconstructed.
- Personal information can only be used for the purpose of which it was collected for.
The list of to-dos and preparations is lengthy, so we advise you to do thorough research on the Act and ensure you read through every section to gain a full understanding of what is required.
For further information and POPI, click here to read this interesting online article.