Compliance Checklist for South Africa’s POPIA

South Africa’s Protection of Personal Information Act (POPIA) comes into effect on July 1st, 2021. We  have compiled a checklist of key requirements under South Africa’s POPIA.

1. Appoint an Information Officer responsible for POPIA compliance:
   Organizations must appoint an Information Officer who will be responsible for encouraging compliance with POPIA. The Information Officer will deal with any privacy requests made to the organization and cooperate with the Information Regulator on investigations and compliance. Before starting their role, they are required to register with the Regulator.
2. Identify the lawful basis for collection and use of all personal information:
   Organizations can process personal information only on a lawful basis. The processing of personal information should be adequate, relevant and not excessive to stated and intended purposes. Organizations must inform data subjects about the purposes of collection. Furthermore, organizations must ensure that the personal information they have is complete, accurate, and updated.
3. Respond to data subjects’ data access and rectification requests:
   Under the POPIA, data subjects have the right to access their data and inquire about third parties who have access to the information. Additionally, data subjects can request to correct or delete their information. Organizations must respond to such requests as soon as reasonably practicable.
4. Notify security compromises as soon as reasonably possible:
   POPIA requires organizations to notify security compromises to the regulator and impacted data subjects where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorized person. Notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and restore the integrity of the organization’s information system.
5. Have a written contract with the data operator:
   POPIA requires organizations to have a written contract with the operator/data processor to ensure that the operator will establish and maintain security measures for the protection of personal information in line with POPIA.
6. Ensure adequate level of protection in cases of cross border data transfers:
   An organization cannot transfer personal information to a third party in a foreign country unless one of the following conditions is fulfilled:
   • There exists an adequate level of protection. In other words, recipients are subject to a law, binding corporate rules or a binding agreement providing an adequate level of protection that effectively upholds the principles similar to POPIA.
   • The data subject has consented to transfer,
   • The transfer is necessary for the performance of a contract between the data subject and the data controller,
   • The transfer is necessary for the performance of a contract concluded in the interest of the data subject, or
   • The transfer is for the benefit of the data subject and it is not reasonably practicable to obtain the consent of the data subject.
7. Maintain the documentation of all processing operations:
   POPIA requires organizations to maintain the documentation of all data processing operations under its responsibility. Such documentation will help organizations demonstrate compliance to the Regulator.

To learn more, download “What do you need to know about South Africa’s POPIA?” & get a detailed view into POPIA’s requirements.