Almost all organisations are faced with the challenge of achieving and maintaining compliance with the Protection of Personal Information Act No. 4 of 2013 (POPI Act). This handy checklist provides a proven step-by-step forty-action-point approach to compliance.
1. Formalise your POPI Act compliance project
Identify your relevant stakeholders
Identify your project sponsor
Identify your project manager
Set high level scope, timescale, budget
2. Appoint an Information Officer
Ensure alignment between your Promotion of Access to Information Act (PAIA) and POPI Information Officer (IO)
Decide whether the CEO can fulfill the IO function or needs a Deputy/Deputies (DIO)
Agree IO/DIO roles and responsibilities
Complete the formal appointment process
3. Perform a gap analysis versus the POPI Act
Set interim and final targets for compliance with the POPI Act. This does not mean slavishly shooting for 100% regardless of costs and benefits!
Engage with stakeholders in the assessment
Use an evidence-based approach
Use the assessments for ongoing compliance monitoring
4. Analyse what and how Personal Information is processed
Use a broad definition of record types as per the POPI Act (e.g. CCTV, biometric)
Look at various aspects as required by the POPI Act (including consent, purpose, source, sharing, destruction)
Consider user rights and their management
Think broadly in terms of the types of devices where data is stored – and represents a security compromise risk
5. Implement POPI Act compliance policies
Review existing relevant policies
Ensure your policies are reasonable and appropriate
Make sure your policies are enforceable
Design your Privacy Notices for diverse stakeholder groups
6. Review your web sites
Develop your checklist of what to review
Agree the rating scheme to be used
Use the opportunity to implement “best practice” such as Cookie notifications
Develop and implement your remediation plan
7. Update / create your PAIA manual
Confirm your organisation needs a Promotion of Access to Information Act (PAIA) manual and by when
Confirm whether you are a Public or Private Body as per the PAIA
Review the proposed contents of your manual
Ensure your PAIA manual follows the prescribed layout and includes the necessary details
8. Implement POPI compliant PI management processes
Look at the PI lifecycle: including acquisition, processing, retention, and destruction practices
Develop reasonable and appropriate measures to ensure ongoing compliance
These could include self-assessments, health-checks, formal audits
Develop your dashboard for compliance
9. Train stakeholders about their roles in POPI Act compliance
Design training according to their needs
Ensure you treat user education not as a once-off series of activities but part of an ongoing commitment
Leverage diverse training methods, including self-study, online, classroom, audio and video
Look to special needs such as the IO/DIO roles
10. Make POPI Act compliance “Business-As-Usual”
Recognise that POPI Act compliance will be the “new normal” and work that way
Build compliance into your products, services and processes – adopt “Privacy By Design”
Ensure ongoing monitoring of the data protection / POPI ecosystem – legislation, regulations, opportunities and threats
Build POPI into your everyday operations – make POPI “Business-As-Usual”
Article Source: https://changecollective.co.za/blogs/12-blog/legislation/32-10-steps-to-popi-act-compliance-checklist.html
For more a more comprehensive details on the POPI Act follow the below link:
Comments