The regulations relating to the Protection of Personal Information Act (POPIA) require information officers to ensure that a compliance framework is developed, implemented, monitored and maintained.
The regulations add to the responsibilities of information officers by requiring they ensure responsible parties use of a framework to address their obligations to protect the rights of data subjects. A framework assists in the development and implementation of POPIA compliance-related requirements using a holistic and interrelated set of technical and organisational measures in an integrated manner, that can be monitored and maintained to ensure the rights of data subjects in South Africa are protected.
GOVERNANCE through the use of POPIA Compliance Policy
A POPIA compliance policy establishes the overarching principles and commitment to action for an organisation to achieving compliance. It sets the level of responsibility and performance required and sets expectations to which actions will be assessed. The policy should be appropriate to the organisation’s POPIA compliance obligations that arise from its activities.
The governing body and top management, preferably in consultation with data subjects, should establish a POPIA compliance policy that:
- is appropriate to the purpose of the organisation
- provides a framework for setting objectives for protecting the rights of data subjects
- includes a commitment to satisfy applicable requirements, and
- includes a commitment to continual improvement.
The POPIA compliance policy should articulate:
- the scope of the compliance framework
- the application and context of the framework in relation to the size, nature and complexity of the organisation and its operating environment
- the extent to which POPIA compliance will be integrated with other functions, such as governance, risk, audit and legal
- the degree to which POPIA compliance will be embedded into operational policies, procedures and processes
- the responsibility for managing and reporting POPIA compliance issues
- the principles on which relationships with internal and external stakeholders will be managed
- the required standard of conduct and accountability
- the consequences of non-compliance.
The POPIA compliance policy should:
- be available as documented information
- be written in plain language so that all data subjects can easily understand the principles and intent
- be translated into other languages if necessary
- be communicated clearly within the organisation and be made readily available to all data subjects
- be available to interested parties, as appropriate
- be updated, as required, to ensure it remains relevant.
The active involvement of, and supervision by, governing body and top management is an integral part of effective compliance with POPIA obligations. This helps ensure that employees fully understand the organisation’s policy and operational procedures and how these apply to their jobs, and that they carry out POPIA compliance obligations effectively.
Management should be responsible for compliance within its area of responsibility. This includes:
- cooperating with and supporting the information officer and encouraging employees to do the same
- personally complying and being seen to comply with POPIA policies, procedures and processes and attending and supporting POPIA compliance training activities
- identifying and communicating POPIA compliance risks in their operations
- actively undertaking and encouraging mentoring, coaching and supervising employees to promote POPIA compliant behaviour
- encouraging employees to raise POPIA compliance concerns
- actively participating in the management and resolution of POPIA compliance-related incidents and issues.
DEVELOPMENT of a POPIA Compliance Framework
The organisation should establish its POPIA compliance (data protection) objectives at relevant functions and levels.
The POPIA compliance objectives should:
- be consistent with the POPIA compliance policy
- be measurable
- take into account applicable requirements
- be monitored
- be communicated
- be updated and/or revised as appropriate.
In developing the POPIA compliance framework, consideration should be given to:
- specific local and international obligations
- the organisation’s strategy, objectives and values
- the organisation’s structure and governance framework
- the nature and level of risk associated with noncompliance
- other internal policies, standards and codes.
When planning how to achieve its POPIA compliance objectives, the organisation should determine:
- what will be done
- what resources will be required
- who will be responsible
- when it will be completed
- how the results will be evaluated, e.g. pursuant to identified POPIA compliance key performance measures and outcomes.
The organisation should retain documented information on the POPIA compliance objectives and on the planned actions to achieve them.
IMPLEMENTATION of a POPIA Compliance Framework
Subject to the provisions of section 55 of the Act, an information officer must ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information. Examples include:
- Documentation of processing operations
- Technical and organisational measures
- Logical access control
- Door lock
- Mechanisms and processes to ensure the protection of personal data
- Portal to access personal information
- System component to export personal data
The organisation's responsible parties should plan, implement and control the processes needed to meet POPIA compliance obligations, and to implement the actions to address POPIA non-compliance risks, by:
— defining the objectives of the processes
— establishing criteria for the processes
— implementing control of the processes in accordance with the criteria
— keeping documented information to the extent necessary to have confidence that the processes have been carried out as planned.
Procedures should be established, documented, implemented and maintained to support the POPIA compliance policy and translate the POPI Act obligations into POPIA compliance (data protection) objectives and operational practices.
In developing these procedures consideration should be given to:
- integrating the POPIA compliance obligations into procedures, including computer systems, forms, reporting systems, contracts and other legal documentation
- consistency with other review and control functions in the organisation
- on-going monitoring and measurement
- assessment and reporting (including management supervision) to ensure that employees comply with procedures
- specific arrangements for identifying, reporting and escalating instances of non-compliance and risks of non-compliance.
The organisation's information officer should ensure that compliance by outsourced processes is controlled and monitored. The Protection of Personal Information Act specifies that outsourcing of an organisation’s operations does not relieve the organisation's responsible parties of their legal responsibilities and compliance obligations. A written contract is required with all operators who process personal information.
MONITORING the POPIA Compliance Framework
Monitoring of the compliance framework typically includes:
- effectiveness of training
- effectiveness of measures
- effective allocation of responsibilities for meeting compliance obligations
- currency of compliance obligations
- effectiveness in addressing compliance failures previously identified
- instances where internal compliance inspections are not performed as scheduled.
Monitoring of compliance performance typically includes:
- non-compliance and “near misses” (i.e. incidents without adverse effect)
- instances where compliance obligations are not met
- instances where objectives are not achieved
- status of compliance culture
- leading and lagging indicators.
MAINTENANCE of the POPIA Compliance Framework
Top management should review the organisation’s compliance framework, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The actual depth and frequency of such reviews will vary with the nature of the organization and its policies.
The review should include consideration of:
- the status of actions from previous management reviews
- the adequacy of the compliance policy
- the extent to which the compliance objectives have been met
- adequacy of resources
- changes in external and internal issues that are relevant to the compliance management system
- information on the compliance performance, including trends in:
— non-conformities, corrective actions and timelines for resolution
— monitoring and measurement results
— communication from interested parties, including complaints
— audit results
- opportunities for continual improvement.
The outputs of the management review should include decisions related to continual improvement opportunities and any need for changes to the compliance management system.
It should also include recommendations on:
- the need for changes to the compliance policy, its associated objectives, systems, structure and personnel
- changes to compliance processes to ensure effective integration with operational practices and systems
- areas to be monitored for potential future noncompliance
- corrective actions with respect to noncompliance
- gaps or lack in current compliance systems and longer term continual improvement initiatives
- recognition of exemplary compliance behaviour within the organisation.
The information officer should retain documented information as evidence of the results of management reviews and a copy should be provided to the governing body.