1

#PlanForPOPIA guide

POPIA GUIDE: HOW TO GET YOUR ORGANISATION READY FOR POPIA

PPM ATTORNEYS

2

POPIA: A BRIEF OVERVIEW

3

WHAT IS POPIA?

The Protection of Personal Information Act 4 of 2013 (POPIA) is South Africa’s

comprehensive data protection legislation. POPIA aims to balance your

constitutional right to privacy, against other competing rights and interests,

especially the right of access to information.

THE LINGO YOU’VE GOT TO KNOW

Personal Information: information identifiable to any person.

The data subject: the person to whom the information relates.

The responsible party: the person who determines why and how to process the

information.

The operator: a person who processes personal information on behalf of the

responsible party.

Processing: any operation performed on personal information.

Information Regulator: the body created by POPIA to monitor and enforce

compliance by public and private bodies.

EXCLUSIONS

There are certain circumstances where POPIA does not apply. These are called

“exclusions”. We have listed them below.

Personal/household activity: This includes any notes, lists, and other personal

information collected and stored for private use.

Deidentified information: This means that you are unable to identify a person just

by looking at this kind of information.

4

National security: If the processing of personal information, such as a criminal

record, is necessary for the safety of the country, certain relaxations in

compliance would apply.

Journalism: Journalists acting in line with their code of ethics would be exempt

from compliance with certain provisions.

Art and literature: Compliance restrictions are relaxed when the processing is

solely for artistic or literary purposes.

5

POPIA IN A NUTSHELL

6

HOW TO GET YOUR HOUSE IN ORDER

7

WHY COMPLY

PERSONAL INFORMATION IS AN ASSET

Securing this asset1 becomes something which is marketable and may lead to

increased business. This is because if you are treating personal information in a

better way than your competitors, customers are likely to gravitate to you. If you

need convincing, check out this abridged version of the Cambridge Analytica

scandal. 2

ENTRY INTO THE INFORMATION ECONOMY

Personal Information cannot be exchanged with companies who don’t comply

with strict data protection laws. Non - compliance will probably lead to only a

limited number of compliant businesses agreeing to do business with you.

REPUTATION

Becoming POPIA compliant will increase transparency which in turn will inspire

trust in any entity. People place immense value on trust, and fostering that trust

will inevitably make your business more popular.

COST SAVING

Investigations into information governance often reveal inefficient processes and

systems, which, when streamlined, will increase efficiency and productivity.

1 A 2019 study valued personal data at about $1,000.00 a year. https://www.statista.com/chart/18433/the-price-of-personal-information/ 2 https://www.vox.com/policy-and-politics/2018/3/23/17151916/facebook-cambridge-analytica-trump-diagram

8

LAWFULNESS

Not least of all, there are severe penalties imposed for non–compliance. The

Information Regulator can impose administrative fines of up to R10 million, or

even, in certain instances, imprisonment.

HOW TO COMPLY

ASSESS

Identify any gaps in compliance by conducting a thorough gap analysis.

PLAN

Identify processes and procedures that need to be put in place in order to ensure

compliance.

DEVELOP

Create and/or update your policies and align your procedures with your

compliance plan.

IMPLEMENT

Train and educate all role players. Every person MUST have an accurate and

complete idea of what is expected of them in terms of ensuring personal

information is protected.

MONITOR

Establish checks and balances to monitor compliance and identify any shortfalls.

REACT

Have clear, practical and compliant reaction plans in place for any kind of breach.

9

PLAN YOUR PRIVACY GOVERNANCE

PROGRAMME

APPLICABLE LAWS AND RELEVANT FRAMEWORK

10

WHICH PRIVACY LAWS APPLY TO MY ORGANISATION?

The Promotion of Access to Information Act, or PAIA was established to promote

the right of access to information and to promote transparency and accountability

within both the public and private sectors of society in order to more fully realise

South Africa's goals of an open and participatory democracy.

The Regulation of Interception of Communications Act, or RICA regulates the

interception of communications, the monitoring of radio signals and radio

frequency spectrums, and the provision of communication-related information in

the records of telecommunication service providers. It regulates law enforcement

where interception of communications is involved and prohibits the provision of

telecommunication services which do not have the capability to be intercepted. It

also requires telecommunication service providers to store communication-

related information.

The General Data Protection Regulation, or GDPR is the European Union’s (“EU”)

version of POPIA. The GDPR's primary aim is to give control to individuals over

their personal data. It also aims to simplify the regulatory environment

for international business by unifying the regulation within the EU. If you transfer

data to another country, that country needs to have privacy laws at least equal to

POPIA. The GDPR is one of the few regulations that provide data protection

similar to POPIA, so transferring personal data to the EU will not breach POPIA.

11

CHOOSE A FRAMEWORK

There are a number of potentially viable frameworks to choose from. A

framework is essentially a basic structure that you can base your privacy

compliance program on. It saves you having to reinvent the wheel. You are not

obliged to follow one: you can extract those elements that best suit your

organisation. Here are three examples:

GAPP – Generally Accepted Privacy Principles;3

ISO27001 – ISO/IEC 27001 Information Security Management;4 and

NIST – National Institute of Standards and Technology.5

3 https://iapp.org/media/presentations/11Summit/DeathofSASHO2.pdf 4 https://www.iso.org/isoiec-27001-information-security.html 5 https://www.nist.gov/cyberframework

12

Employees

DESIGN YOUR PRIVACY TEAM

WHAT SHOULD YOUR PRIVACY TEAM LOOK LIKE?

WHAT ARE THE DUTIES OF THE INFORMATION OFFICER AND DEPUTY

INFORMATION OFFICER?

The Information Officer of a public body is the head of that public body. This

means that for a national or provincial government department it is the Director-

General or the equivalent official of that department who is the Information Officer.

For a municipality the municipal manager is the Information Officer. In the case of

any other public body the Chief Executive Officer is the Information Officer. In the

case of a private body, the Information Officer is by default the owner of the

business.

THE INFORMATION OFFICER HAS THE DUTY AND RESPONSIBILITY TO:

- encourage compliance with the conditions for the lawful processing of

personal information in terms of POPIA;

- deal with requests made in terms of POPIA;

- work with the Information Regulator in relation to any investigations to be

conducted; and

- otherwise ensure compliance by the body with the provisions of POPIA.

Higher

Management

13

THE INFORMATION OFFICER IS RESPONSIBLE FOR ENSURING THAT:

- a compliance framework is developed, implemented, monitored and

maintained;

- a personal information impact assessment is done to ensure that adequate

measures and standards exist in order to comply with the conditions for the

lawful processing of personal information;

- a manual is developed, monitored, maintained and made available as

prescribed in terms of POPIA and PAIA (this should be made available on

your website as well as at your offices for public viewing during normal

business hours). These manuals must also be made available for copy, at

payment of a fee which fee does not exceed R3.50 per page. The manual

must specify inter alia:

- the purpose of the processing of personal information;

- a description of the categories of data subjects;

- the recipients to whom the personal information may be supplied; and

- the planned trans-border or cross-border flows of personal

information.

- internal measures and systems are developed to process requests for

information; and

- internal awareness sessions are conducted regarding the provisions

of POPIA.

Information Officers are also required to appoint Deputy Information Officers to

assist them in the performance of their responsibilities and duties and to ensure

that the requests for information are dealt with in an effective and efficient manner.

There is no limitation on the number of Deputy Information Officers that an

Information Officer may appoint.

14

WHAT SKILLS AND TRAINING WOULD BE REQUIRED?6

All role players must be able to:

- articulate the requirements of POPIA;

- demonstrate an understanding of the conditions for the lawful processing of

personal information;

- identify the technical and organisational measurements necessary for

protecting personal information;

- describe the various roles and the responsibilities of the personnel who

should be concerned about the protection of personal information,

- understand the effort needed to meet the requirements of POPIA and the

conditions for the lawful processing personal information it contains.

APPOINTING POPIA CHAMPIONS IN EACH DEPARTMENT AND REPORTING

TO HIGHER MANAGEMENT

Best practice is for organisations to have Deputy Information Officers and privacy

champions in each business area. If POPIA compliance is not written into a

number of people’s job descriptions, POPIA compliance won’t work.

6 https://www.ppmattorneys.co.za/implementing-effective-privacy-training-in-organisation/

15

DESIGN YOUR PRIVACY PROGRAMME

16

DATA ASSESSEMENTS

RECORDS OF PROCESSING ACTIVITIES: THE “STATE ON THE GROUND”

It is crucial to list your processing activities and describe them. Here is a template

to assist:

Name of Processing

Responsible Party

Work stream

Purpose for processing

Legal basis for processing

Categories of Data Subjects

Approximate volume of Data processed

Categories of Personal data processed

Categories of Recipients/ personal data

Data location (hard and soft copies)

Communication channels used

Where is data sent? (Include 3rd Countries)

What safeguards exist for 3rd countries.

Data Retention Period

Data deletion mechanism (including disposal) and description

Brief description of technical and organisational security measures

Comments

This first step will allow you to proceed further with the gap assessment.

17

GAP ASSESSMENT: THE INITIAL STEP TO YOUR COMPLIANCE JOURNEY

A gap assessment can be done in house or with the assistance of an external

consultant. Legal and IT expertise is required.

Documentation review:

Policies and procedures

Vendor contracts

Customer terms and conditions / contracts

Notices and consent forms

HR documentation

Interviews with key stakeholders:

POPIA Champions

HODs

Fact checking exercise

It is important when performing a gap assessment to check whether practices

within the organisation are aligned with the policies and procedures which have

been issued.

The result of this exercise will be a report on gaps to be closed within your

organisation.

It should be presented in a practical manner. Using a Red-Amber-Green (“RAG”)

format makes it visually easier to see the status of each issue.7 It allows you to

prioritise a list of actions in order to close the gaps based on risks involved.

7 https://www.intrafocus.com/2019/08/red-amber-green-reporting/

18

You will be able to design and undertake a remediation plan, based on this

assessment.

PERSONAL INFORMATION IMPACT ASSESSMENTS (PIIA)

It is a good practice to conduct a PIIA for any new product or service. This usually

describes the nature, scope, context and purposes of the processing; assesses

necessity, proportionality and compliance measures; identifies and assesses

risks to individuals; and identifies any additional measures to mitigate those risks.

A PIIA operates as a control mechanism and may identify irregularities or system

weaknesses regarding the organisation’s handling of personal data. These

weaknesses may include a lack of security, which may lead to inappropriate use

of personal information, the collection of unnecessary or irrelevant personal

information, or unnecessarily long retention periods.

19

Privacy related policies

A privacy-related policy is an internal document for employees and vendors,

presenting the privacy principles and standards within the organisation.

Main privacy-related policies that you should consider implementing:

Privacy Policy

Records Retention and Destruction Policy

Privacy Incident Management Policy

Promotion of Access to Information Act ("PAIA") Manual

Policy on Processing Sensitive or Children's Information

Data Sharing Policy

Contract Management Policy

Cross Border Data Flow Policy

Acceptable use policy

Privacy-related policies should be interfaced with other policies within the

organisation, such as human resources policies, supply chain management

policies, information security policies, document management which involve

privacy aspects.

You should focus on efficient ways to communicate policies within your

organisation:

clear and understandable language;

availability of the policies; and

training on the policies (workshops…).

20

PROTECTING THE RIGHTS OF DATA SUBJECTS

Data subjects’ rights are guaranteed under POPIA:

right to information about processing

right of access

right of erasure

right of processing restriction

right of objection to processing

right to complain to the regulator.

How to guarantee these rights at your organisation level:

Implement notices, informing the data subjects about processing and their

right in plain English language;

Require consent when needed or ensure that you have another clear and

fair legal basis for processing; where required, guarantee that the data

subject is given a fair choice about the processing of his or her data;

Make sure you have a PAIA manual in place with all required information;

and

Implement a data subject information access policy and related procedures,

and make sure your staff is sufficiently trained to engage with data subjects

and respond to their requests.

21

SECURITY SAFEGUARDS

Information security is a basis for privacy. POPIA makes information security a

priority. It is not just for your organisation (the responsible party), but also for

other organisations that may process personal information on your organisation’s

behalf (operators).

There are a number of information security frameworks that you can use to guide

your organisation on this requirement. For example ISO270001.

Examples of technical and organisational measures to comply with security

requirements include:

- Encryption;

- Access control;

- De-identification; and

- Secure destruction.

22

TRAINING AND AWARENESS

In many cases data breaches occur because of staff’s or vendors’ negligence or

oversight: The consequences of a data breach can be detrimental to a company

and includes, not only direct damages and sanctions, but also substantial

reputational harm.

Training your staff is part of your obligations under data privacy laws and is one

of the measures demonstrating your compliance. The mere occurrence of, as

well as the costs and consequences of data breaches and data incidents could

be drastically reduced by having appropriate awareness and training programs in

place for your organisation. Having a well-crafted training program which suits

your industry and organisation, as part of your privacy programme, is crucial.

To achieve this goal, the Information Officer is required to conduct or facilitate

regular training and awareness sessions.

Classroom training is the most common means of training but can be reinforced

by various complementary methods such as: channels, such as:

- Online learning through streaming, videos and websites;

- Workshops and simulations; and

- Posters, newsletters and email campaigns.

Booklets, pamphlets, FAQs and stickers can also be a cool way to convey a few

simple but necessary messages regarding privacy in the organisation.

The more creative and varied the communication channels are, the more effective

it is at conveying the message to the organisation. However, irrespective of

the variety of channels, the communication should be consistent at all levels.

23

It may be also beneficial to establish a privacy community to deliver privacy

messages throughout the organisation. This can be done, for example, by

appointing a “privacy champion” in each department, who follows up on training

and awareness within his/her own department and reports difficulties or specific

aspects. This makes it easier for the Information Officer to refine or accurately

customise the privacy training.

Privacy awareness amongst your team is an ongoing effort. The privacy training

should be part of the induction process in your organisation. Each member of

your team should receive initial training, and this training should be regularly

refreshed and updated.

Although privacy training has cost implications for your organisation, it will most

certainly reduce risks. It therefore makes sense to implement methods to

measure effectiveness of these programs.

As an example, a simple dashboard of your training and awareness could include

the following metrics:

- Percentage of the workforce which received training during a given period;

- Type of training received;

- Percent of training completed;

- Evolutions of results to quizzes or simulation exercises; and

- Evolution of the number of privacy incident reports.

24

HANDLING DATA BREACHES

25

HOW DO DATA BREACHES OCCUR?

The list below illustrates just a few common ways in which data breaches can

occur. This could be disastrous to any entity because the integrity of sensitive

data like customer information or internal business information would be

compromised. This could have a major reputational and financial impact on the

entity.

CRIMINAL HACKING

The most prevalent cause of data breaches does not require any kind of technical

knowledge. Criminals can purchase login credentials on the dark web and use

them to perform many nefarious activities. These include malware and SQL

injections, fraud, social engineering and phishing scams.

HUMAN ERROR

It is common for data breaches to occur even if there was no malicious intent.

This could happen by an employee sending an email or physical file containing

sensitive personal information to the wrong email address.

UNAUTHORISED USE

This can occur in two ways. In the first instance, an employee may misuse

information they have legitimate access to. Alternatively, an employee may

ignore company access restriction policies such as ensuring all electronic devices

are password protected.

PHYSICAL THEFT

Laptops, smartphones, tablets and hard drives are just a few of the electronic

devices stolen on a daily basis. If the device is not properly protected by

26

encryption software, the thief will have access to the organisation’s sensitive

information.

INCIDENT RESPONSE

INCIDENT RESPONSE

An incident response plan is a framework which provides clear instructions to all

role players about what to do when a data breach occurs. It should help detect,

respond to, and recover from issues such as cybercrimes and data losses. You

should conduct an assessment to identify any current data security gaps.

Before the breach: Plan ahead! Identify who will be affected by the breach and

what role each person within the organisation will play. Early detection is one of

the most effective ways to manage a data breach. Ensure that your employees

Incident occurs Assess the

situation

Investigate the incident

Assess the damage

Incident report Communication

27

are trained and aware of the plan, and that systems and data protection measures

are tested regularly.

When the breach occurs: Communicate! Ensure that the necessary parties within

the organisation are notified of the breach as soon as possible so they may take

the necessary measures to mitigate the damage. Determine the root cause of the

data breach and try to eradicate it. Consider whether you should bring your

lawyers on board to manage any investigation you initiate: this is because the

outcome of the investigation will then be priviliged and you will not be obliged to

hand the information over in the event of civil litigation or regulatory investigations

and prosecution.

After the breach: Respond! Bring affected systems back online carefully to avoid

further incidents. Use the breach to learn what parts of your plan are effective

and which areas require improvement.

28

REPORTING OBLIGATIONS

Section 21: The operator must notify the responsible party immediately if there

are reasonable grounds to believe that the personal information of a data subject

has been accessed or acquired by any unauthorised person.

Section 22: If there are reasonable grounds to believe that a data breach has

occurred, the responsible party must notify the Regulator and the data subject as

soon as reasonably possible after the discovery of the compromise. When

determining when ‘as soon as reasonably possible’ is, you should take into

account the legitimate needs of law enforcement or any measures reasonably

necessary to determine the scope of the compromise and to restore the integrity

of the responsible party's information system. You may only delay reporting if

certain public bodies, or the regulator, determines that notification will impede a

criminal investigation.

29

Your organisation has until 30 June 2021 to comply with the POPIA. Please

contact us if you need help and advice on your POPIA compliance project. We

are privacy experts and we are ready to help.

Follow us on:

Lucien Pierce Mathando Likhanya Delphine Daversin

Melody Musoni Yashoda Rajoo