popi act

The President has announced that the Protection of Personal Information Act will Commence on the 01 July 2020. Which then begs the question, what should you do next?

The long-awaited announcement from the President regarding the official commencement date of the Protection of Personal Information Act has finally arrived. This week the Presidency announced that the remaining sections of the Act will come into effect from 01 July 2020. The Act provides all organisation a twelve month grace period from this commencement date to achieve compliance before facing any consequences.

However, it’s worth noting that reaching compliance is a marathon and not a sprint, it requires a combination of a shift in organisational culture, company-wide policies, staff training, updating business and technical processes, implementing and reviewing controls, updating or reviewing contracts, and communicating with relevant stakeholders. Therefore the plans to achieve compliance should not be delayed as they will not be achievable at a last minutes notice. 

The consequences of being found to be non-compliant after the twelve month grace period include:

  • Imprisonment of offenders for between one to 10 years.
  • Up to R10 million in penalties and fines.
  • Enforcement notice requiring non-compliant organisation to stop processing personal information (which could affect the continuation of business operations)
  • Civil action on behalf of an individual or group of individuals.

Preparing for POPI Act Compliance

Organisations should begin now to implement compliance programs and review the implementation on a regular basis. Bahati Tech presents a practical approach to assist different organisations to achieve POPIA compliance:

  1. Create a tailor-made compliance programme for your organisation:
    1. Identify business areas involved in personal information
    2. Define the business needs and processes related to the processing ( i.e collection, storage, use, share or transfer, and destruction or archival of personal information) 
    3. Define data protection policy and strategy
    4. Create personal data flow diagrams with narratives processing of how personal information flows throughout your organisation.
    5. Create personal information inventory that covers all digitally processed data and paper-based repositories
    6. Identify the information security controls and gaps (deficiencies) in the data flow
  2. Perform Data Protection Risk and Maturity Assessments 
  3. Prepare and present a POPI Compliance Assessment Report

To discuss how we can support you further email us on:

Hello -{at}- bahatitech.co.za