IDC Names Securiti a Worldwide Leader in Data Privacy

View

Compliance Checklist for South Africa’s POPIA

Published June 29, 2021

Listen to the content

South Africa’s Protection of Personal Information Act (POPIA) comes into effect on July 1st, 2021. We  have compiled a checklist of key requirements under South Africa’s POPIA.

  1. Appoint an Information Officer responsible for POPIA compliance:
    Organizations must appoint an Information Officer who will be responsible for encouraging compliance with POPIA. The Information Officer will deal with any privacy requests made to the organization and cooperate with the Information Regulator on investigations and compliance. Before starting their role, they are required to register with the Regulator.
  2. Identify the lawful basis for collection and use of all personal information:
    Organizations can process personal information only on a lawful basis. The processing of personal information should be adequate, relevant and not excessive to stated and intended purposes. Organizations must inform data subjects about the purposes of collection. Furthermore, organizations must ensure that the personal information they have is complete, accurate, and updated.
  3. Respond to data subjects’ data access and rectification requests:
    Under the POPIA, data subjects have the right to access their data and inquire about third parties who have access to the information. Additionally, data subjects can request to correct or delete their information. Organizations must respond to such requests as soon as reasonably practicable.
  4. Notify security compromises as soon as reasonably possible:
    POPIA requires organizations to notify security compromises to the regulator and impacted data subjects where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorized person. Notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and restore the integrity of the organization’s information system.
  5. Have a written contract with the data operator:
    POPIA requires organizations to have a written contract with the operator/data processor to ensure that the operator will establish and maintain security measures for the protection of personal information in line with POPIA.
  6. Ensure adequate level of protection in cases of cross border data transfers:
    An organization cannot transfer personal information to a third party in a foreign country unless one of the following conditions is fulfilled:

    • There exists an adequate level of protection. In other words, recipients are subject to a law, binding corporate rules or a binding agreement providing an adequate level of protection that effectively upholds the principles similar to POPIA.
    • The data subject has consented to transfer,
    • The transfer is necessary for the performance of a contract between the data subject and the data controller,
    • The transfer is necessary for the performance of a contract concluded in the interest of the data subject, or
    • The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the consent of the data subject.
  7. Maintain the documentation of all processing operations:
    POPIA requires organizations to maintain the documentation of all data processing operations under its responsibility. Such documentation will help organizations demonstrate compliance to the Regulator.

To learn more, download “What do you need to know about South Africa’s POPIA?” & get a detailed view into POPIA’s requirements.


Frequently Asked Questions (FAQs)

The Protection of Personal Information Act (POPIA) in South Africa imposes several requirements, including obtaining lawful consent for data processing, notifying data subjects about data collection, safeguarding personal information, appointing a Data Protection Officer, and ensuring cross-border data transfers comply with the law, among other requirements.

Public and private organizations with a physical presence in South Africa that use automated or non-automated methods to process or enter personal information into records are subject to POPIA. It also applies to organizations not based in South Africa but utilizing means to process personal data there unless they are only used to forward the information through the country.

POPIA compliance refers to adhering to the requirements and principles set forth in the Protection of Personal Information Act to protect individuals' privacy and personal information.

Ensuring POPIA compliance involves several steps, including conducting data audits, implementing data protection policies and procedures, training staff on data protection practices, appointing a Data Protection Officer (DPO), and regularly reviewing and updating data protection measures.

Your Data+AI Command Center

Enable Safe Use of Data and AI

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Share


More Stories that May Interest You

Follow