Overviewpopi_compliance_monitoring

  • The accountability condition requires you to make clear who is responsible for ensuring compliance with the conditions and says that you must put in place appropriate technical and organisational measures to give effect to such conditions.
  • This condition also requires you to make it clear from whom a data subject can seek settlement for disregarding his, her or its right to privacy. 
  • Being accountable for compliance with the conditions means there are several measures that you can, and in some cases must, take including:
    • developing and implementing a compliance framework and monitoring system;
    • maintaining documentation of your processing activities;
    • carrying out personal information impact assessments for all processing of personal information to ensure that adequate measures and standards exist in order to comply with the conditions;
    • putting written contracts in place with organisations that process personal information on your behalf;
    • implementing appropriate security measures;
    • developing internal measures together with adequate systems to process requests for information or access thereto;
    • recording and, where necessary, reporting personal information breaches;
    • appointing an information officer able to deal with requests from data subjects and effective in ensuring compliance by your organisation with the provisions of POPIA; and
    • adhering to relevant codes of conduct.
  • Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.
  • Your POPIA compliance management system should help you embed your accountability measures and create a culture of privacy across your organisation.
  • Being accountable will help build trust with data subjects and may help you mitigate enforcement action.

 

Checklist

☐ We take responsibility for complying with POPIA, at the highest management level and throughout our organisation.

☐ Our responsible parties have been clearly identified and understand their personal responsibilities.

☐ We keep evidence of the steps we take to comply with POPIA.

We put in place appropriate technical and organisational measures, such as:

☐ developing and implementing a compliance framework and monitoring system;

☐ maintaining documentation of our processing activities;

☐ carrying out personal information impact assessments for all processing of personal information to ensure that adequate measures and standards exist in order to comply with the conditions;

☐ putting written contracts in place with organisations that process personal information on our behalf;

☐ implementing appropriate security measures;

☐ developing internal measures together with adequate systems to process requests for information or access thereto;

☐ recording and, where necessary, reporting personal information breaches;

☐ appointing an independent information officer; and

☐ adhering to relevant codes of conduct.

☐ We review and update our accountability measures at appropriate intervals.

 

Briefly

What is accountability?

There are two key elements. First, the accountability condition makes it clear that you must nominate a specific person who is responsible for complying with POPIA. The default person is the CEO. Second, you must be able to demonstrate your compliance.

Section 8 of POPIA says:

“The responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.”

Why is accountability important?

Taking responsibility for what you do with personal information, and demonstrating the steps you have taken to protect data subject’s rights not only results in better legal compliance, it also demonstrates respect for human rights and the South African constitution. Accountability is a real opportunity for you to show, and prove, how you respect data subject’s privacy. This can help you to develop and sustain data subject’s trust.  

Furthermore, if something does go wrong, then being able to show that you actively considered the risks and put in place measures and safeguards can help you provide mitigation against any potential compensation claims and enforcement action. On the other hand, if you can’t show good data protection practices, it may leave you open to settlements, fines and reputational damage.

What do we need to do?

Accountability is not a box-ticking exercise. Being responsible for compliance with POPIA means that you need to be proactive and organised about your approach to data protection, while demonstrating your compliance means that you must be able to evidence the steps you take to comply.

To achieve this, if you are a larger organisation you may choose to put in place a compliance management framework. This can help you create a culture of commitment to data protection, by embedding systematic and demonstrable compliance across your organisation. Amongst other things, your framework should include:

  • processes and mechanisms that enable data subject rights;
  • robust program controls informed by the requirements of POPIA;
  • appropriate reporting structures; and
  • assessment and evaluation procedures.

If you are a smaller organisation you will most likely benefit from a smaller scale approach to accountability. Amongst other things you should:

  • ensure a good level of understanding and awareness of data protection amongst your staff;
  • implement comprehensive but proportionate policies and procedures for handling personal information; and
  • keep records of what you do and why.

Section 16 of POPIA says that:

  • you must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.

Section 19 of POPIA says that:

  • you must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures;
  • the measures should be risk-based and proportionate; and
  • you need to review and update the measures as necessary.

While POPIA does not specify an exhaustive list of things you need to do to be accountable, it does set out several different measures you can take that will help you get there. These are summarised below. Some measures you are obliged to take and some are voluntary. It will differ depending on what personal information you have and what you do with it. These measures can form the basis of your programme controls if you opt to put in place a privacy management framework across your organisation.

Should we implement data protection policies?

Putting in place relevant data protection policies is not a requiement of POPIA. Policies are one of the mechanisms used to direct compliance but are not the only mechamism you can take to ensure, and demonstrate, compliance.

What you have policies for, and their level of detail, depends on what you do with personal information. If, for instance, you handle large volumes of personal information, or particularly sensitive information such as special category data, then you should take greater care to ensure that your policies are robust and comprehensive.

As well as drafting data protection policies, you should also be able to show that you have implemented and adhered to them. This could include awareness raising, training, monitoring and audits – all tasks that your data protection officer can undertake see below for more on data protection officers.

Should we adopt a ‘data protection by design and default’ approach?

Privacy by design has long been seen as a good practice approach when designing new products, processes and systems that use personal information. 

Data protection by design and default is an integral element of being accountable. It is about embedding data protection into everything you do, throughout all your processing operations. Measures that may be appropriate include minimising the data you collect, applying pseudonymisation techniques, and improving security features.

Integrating data protection considerations into your operations helps you to comply with your obligations, while documenting the decisions you take demonstrates this.

Do we need to use contracts?

Whenever a responsible party uses an operator to handle personal information on their behalf, it needs to put in place a written contract that sets out each party’s responsibilities and liabilities, and specifically the security measures the operator must implement.

Contracts must include certain specific terms as a minimum, such as requiring the operator to take appropriate measures to ensure the security of processing and obliging it to assist the responsible party in allowing data subjects to exercise their rights under POPIA.

Using clear and comprehensive contracts with your operators helps to ensure that everyone understands their data protection obligations and is a good way to demonstrate this formally.

What documentation should we maintain?

Under Section 17 of POPIA, all organisations are required to maintain documentation of their processing operations, covering areas such as processing purposes, data sharing and retention.

Documenting this information is a great way to prepare an inventory of personal information. Knowing what information you have, where it is and what you do with it makes it much easier for you to comply with other aspects of POPIA such as making sure that the information you hold about data subjects is accurate and secure.

As well as your documentation of processing operations, you also need to document other information to show your compliance with POPIA. For instance, you need to keep records of consent and logs of any personal information breaches.

What security measures should we put in place?

POPIA requires that you implement technical and organisational measures in the context of security. It requires that these measures ensure a level of security appropriate to the risk.

You need to implement security measures if you are handling any type of personal information, but what you put in place depends on your particular circumstances. You need to ensure the confidentiality, integrity and availability of the systems, products and services you use to process personal information.

Amongst other things, this may include access controls, security monitoring, and recovery plans.

Should we carry out personal information impact assessments (PIIAs)?

A personal information impact assessment is an essential accountability tool and a key part of taking a data protection by design approach to what you do. It helps you to identify and minimise the data protection risks of any new projects you undertake.

A PIIA is a legal requirement and should be carried out before processing that can result in risk to data subjects’ interests.

When done properly, a PIIA helps you assess how to comply with the requirements of POPIA, while also acting as documented evidence of your decision-making and the steps you took.

Should we assign an information officer? 

All organisations are required to appoint an information officer. An information officer’s tasks include advising you about POPIA, monitoring compliance, training staff and assisting data subjects with their requests.

Your information officer must report to your highest level of management, operate independently, and have adequate resources to carry out his or her tasks.

It is very important that you have sufficient staff, skills, and appropriate reporting structures in place to meet your obligations under POPIA.

What else should we consider?

The above measures can help to support an accountable approach to data protection, but it is not limited to these. You need to be able to prove what steps you have taken to comply. In practice this means keeping records of what you do and justifying your decisions.

Accountability is not just about being answerable to the regulator; you must also demonstrate your compliance to data subjects. Amongst other things, data subjects have the right to be informed about what personal information you collect, why you use it and who you share it with. Additionally, if you use techniques such as artificial intelligence and machine learning to make decisions about data subjects, in certain cases data subjects have the right to hold you to account by requesting explanations of those decisions and contesting them. You therefore need to find effective ways to provide information to data subjects about what you do with their personal information, and explain and review automated decisions.

The obligations that accountability places on you are ongoing – you cannot simply sign off a particular processing operation as ‘accountable’ and move on. You must review the measures you implement at appropriate intervals to ensure that they remain effective. You should update measures that are no longer fit for purpose. If you regularly change what you do with personal information, or the types of information that you collect, you should review and update your measures frequently, remembering to document what you do and why.