As you might be aware some pro-active companies have already started with the implementation of the Protection of Personal Information Act no 4 of 2013 (POPIA). Companies have started with their POPIA awareness training sessions for the Board, Management, and Employees as required by the draft regulations of POPIA that were published during 2017.
There are mainly five areas that need to be addressed to become fully complaint WITH POPIA. This can be called the big five of implementation of POPIA within any organisation.
The big five areas are:
- Governance – This governance aspect includes the appointment of an Information Officer and setting up governance structures to govern Information Management;
- People – The people aspect of an implementation is the most important part as in most cases (up to 80% of the cases) it is because of people’s negligence or oversight that data breaches occur. People need to be made aware of the provisions of the POPI Act and regulations and how it will affect them in their work environment;
- Process – The process aspect includes the development of policies, procedures, and guidelines to mitigate the risk in relation to the conditions of lawful processing of personal information;
- Information Technology (IT) – The IT aspect relates to the safeguarding of personal information and ensuring that only people that should have access to specific personal information have access to that information; and
- Change Management – The last aspect is also very important as without proper change management a POPIA implementation project can fail as there needs to be buy-in from all parties to ensure that a POPIA implementation project succeed.
If we focus on the people aspect, basic POPIA awareness training can be done within a two-hour period and employees can return to their activities. The two-hour POPIA awareness sessions have a profound effect on the people that have attended, and the following was some of the outcomes that we have experienced in the past five years:
- Information officers have been appointed;
- Information Governance Committees have been established;
- Employees have started filing documents that they have not done in the past;
- Sending reports to people have reduced and reports with only the necessary information are sent out;
- Employees have provided valuable input that changed processes and streamlined information flows; and
- Employees become much more diligent when dealing with the processing of personal information.
POPIA awareness training is a valuable tool to become POPIA compliant. It is a requirement as per the POPIA draft regulations that the Information Officer must ensure that awareness sessions are conducted regarding the provisions of the POPI Act, regulations made in terms of the POPI Act, codes of conduct (where applicable) and information obtained from the Regulator from time to time.
It is never too late to start with compliance of the POPI Act and regulations, start today.
Abel Pienaar CA (SA)
Baitseanape Management Consulting (Pty) Ltd