- Accountability is one of the data protection conditions - it makes the CEO responsible (and liable) for complying with POPIA and this requires that the CEO must be able to demonstrate the organisation's compliance.
- The CEO needs to ensure appropriate technical and organisational measures are put in place to meet the requirements of accountability.
- There are a number of measures that the organisation can, and in some cases must, take including:
- adopting and implementing compliance framework;
- maintaining documentation of the orgaisation's processing operations;
- carrying out personal information impact assessments for uses of personal information that are likely to result in high risk to individuals’ interests;
- putting written contracts in place with organisations that process personal information on behalf of the organisation;
- implementing appropriate security measures;
- recording and, where necessary, reporting personal information breaches; and
- appointing an information officer who the primary responsibility of assisting data subjects.
- Accountability obligations are ongoing. The CEO must review and, where necessary, update the measures the organisation has put in place.
- Implementing a POPIA compliance management framework is a key POPIA requirement that will help the CEO embed accountability measures and create a culture of privacy across the organisation.
- Being accountable will help the organisation build trust with data subjects and may help the CEO mitigate settlements and enforcement action.
☐ We take responsibility for complying with POPIA, at the highest management level and throughout our organisation.
☐ We keep evidence of the steps we take to comply with POPIA.
We put in place appropriate technical and organisational measures, such as:
☐ adopting and implementing data protection policies (where proportionate);
☐ putting appropriate data protection measures in place throughout the entire life-cycle of our processing operations;
☐ putting written contracts in place with organisations that process personal information on our behalf;
☐ maintaining documentation of our processing activities;
☐ implementing appropriate security measures;
☐ recording and, where necessary, reporting personal information breaches;
☐ carrying out personal information impact assessments for uses of personal information that are likely to result in risk to data subjects’ interests;
☐ appointing an information officer; and
☐ adhering to relevant codes of conduct.
☐ We review and update our accountability measures at appropriate intervals.
- What’s needed under POPIA?
- What is accountability?
- Why is accountability important?
- What do we need to do?
- Should we implement data protection policies?
- Should we adopt a ‘data protection by design and default’ approach?
- Do we need to use contracts?
- What documentation should we maintain?
- What security measures should we put in place?
- How do we record and report personal information breaches?
- Should we carry out personal information impact assessments (PIIAs)?
- Should we assign an information officer?
- Should we adhere to codes of conduct and certification schemes?
- What else should we consider?
One of the significant requirements of POPIA is accountability. The accountability condition that says responsible parties are responsible for compliance with the other conditions. You need to be proactive about data protection, and evidence the steps you take to meet your obligations and protect data subject’s rights.
There are two key elements. First, the accountability condition makes it clear that responsible parties are responsible for complying with POPIA. Second, you must be able to demonstrate your compliance.
Taking responsibility for what you do with personal information, and demonstrating the steps you have taken to protect data subjects’ rights not only results in better legal compliance, it also offers you a competitive edge. Accountability is a real opportunity for you to show, and prove, how you respect data subjects' privacy. This can help you to develop and sustain data subjects' trust.
Furthermore, if something does go wrong, then being able to show that you actively considered the risks and put in place measures and safeguards can help you provide mitigation against any potential enforcement action. On the other hand, if you can’t show good data protection practices, it may leave you open to settlements, fines and reputational damage.
Accountability is not a box-ticking exercise. Being responsible for compliance with POPIA means that you need to be proactive and organised about your approach to data protection, while demonstrating your compliance means that you must be able to evidence the steps you take to comply.
To achieve this, you must put in place a POPIA compliance framework. This can help you create a culture of commitment to data protection, by embedding systematic and demonstrable compliance across your organisation. Amongst other things, your framework should include:
- program controls informed by the requirements of POPIA;
- comprehensive but proportionate policies and procedures for handling personal data;
- appropriate reporting structures;
- assessment and evaluation procedures;
- keep records of what you do and why; and
- creating a good level of understanding and awareness of data protection amongst your staff.
Section 19 of POPIA says that:
- you must implement technical and organisational measures;
- the measures should be risk-based and proportionate; and
- you need to review and update the measures as necessary.
While POPIA does not specify an exhaustive list of things you need to do to be accountable, it does set out several different measures you can take that will help you get there. These are summarised under the headings below, with links to the relevant parts of the guide. Some measures you are obliged to take and some are voluntary. It will differ depending on what personal data you have and what you do with it. These measures can form the basis of your programme controls if you opt to put in place a privacy management framework across your organisation.
Implementing data protection policies is one of the measures you can take to ensure, and demonstrate, compliance. POPIA doesn't explicitly state policies are required however they can be a useful governance mechanism.
What you have policies for, and their level of detail, depends on what you do with personal information. If, for instance, you handle large volumes of personal information, or particularly sensitive information such as special category data, then you should take greater care to ensure that your policies are effective.
As well as drafting data protection policies, you should also be able to show that you have implemented through appropriate procedures and practices, and adhered to them. This should also consider raising awareness, training, monitoring and audits.
Privacy by design has long been seen as a good practice approach when designing new products, processes and systems that use personal data.
Data protection by design and default is an integral element of being accountable. It is about considering the rights of data subjects in everything you do, and embedding data protection throughout all your processing operations. Measures that may be appropriate such as minimising the data you collect, applying pseudonymisation techniques, and improving security features.
Integrating data protection considerations into your operations helps you to comply with your obligations, while documenting the decisions you take (often in personal information impact assessments) demonstrates this.
Whenever a responsible party uses an operator to handle personal information on their behalf, it needs to put in place a written contract that sets out each party’s responsibilities and liabilities.
Contracts must include certain specific terms as a minimum, such as requiring the operator to take appropriate measures to ensure the security of processing and obliging it to assist the responsible party in allowing data subjects to exercise their rights under POPIA.
Using clear and comprehensive contracts with your operators helps to ensure that everyone understands their data protection obligations and is a good way to demonstrate this formally.
Under Section 17 of POPIA, responsible parties are required to maintain a record of their processing operations, covering areas such as processing purposes, data sharing and retention.
Documenting this information is a great way to take stock of what you do with personal information. Knowing what information you have, where it is and what you do with it makes it much easier for you to comply with other aspects of POPIA such as making sure that the information you hold about data subjects is accurate and secure.
As well as your record of processing operations under Section 17, you also need to document other things to show your compliance with POPIA. For instance, you need to keep records of consent and any personal information breaches.
POPIA requires the implementation of technical and organisational measures to protect personal information. These measures should ensure a level of security appropriate to the risk to data subjects.
You need to implement security measures if you are handling any type of personal information, but what you put in place depends on the impact on data subjects. You need to ensure the confidentiality, integrity and availability of the systems and services you use to process personal information.
Amongst other things, this may include physical security, environmental security, computing resource protection, information security, access controls, security monitoring, and disaster recovery plans.
You must report personal information breaches to the Information Regulator, and in some circumstances, to the affected data subjects as well.
You need to be able to detect, investigate, report (both internally and externally) and document any breaches. Having robust policies, procedures and reporting structures helps you do this.
A PIIA is an essential accountability tool and a key part of taking data protection seriously. It helps you to identify and minimise the data protection risks of any new projects you undertake.
A PIIA is a legal requirement that should be conducted before carrying out processing likely to result in risk to data subjects’ interests.
When done properly, a PIIA helps you assess how to comply with the requirements of POPIA, while also acting as documented evidence of your decision-making and the steps you took.
All organisations are required to appoint an information officer. By default it is the CEO or equivalent position. However, the CEO can appoint and authorise an independent person to perform the duties of an information officer, including advising you about POPIA, monitoring compliance and training staff.
Your information officer must report to your highest level of management, operate independently, and have adequate resources to carry out their tasks.
It is very important that you have sufficient staff, skills, and appropriate reporting structures in place to meet your obligations under POPIA and PAIA.
Under POPIA, trade associations and representative bodies may draw up codes of conduct covering topics such as fair and transparent processing, and the exercise of data subject’s rights.
The above measures can help to support an accountable approach to data protection, but it is not limited to these. You need to be able to prove what steps you have taken to comply. In practice this means keeping records of what you do and justifying your decisions.
A company wants to use the personal information it holds for a new purpose. It carries out an assessment in line with Section 15(2) of POPIA, and determines that the new purpose is compatible with the original purpose for which it collected the personal data. Although this provision of POPIA does not specify that the company must document its compatibility assessment, it knows that to be accountable, it needs to be able to prove that their handling of personal information is compliant with POPIA. The company therefore keeps a record of the compatibility assessment, including its rationale for the decision and the appropriate safeguards it put in place.
Accountability is not just about being answerable to the regulator; you must also demonstrate your compliance to data subjects. Amongst other things, data subjects have the right to be informed about what personal information you collect, why you use it and who you share it with. Additionally, if you use techniques such as artificial intelligence and machine learning to make decisions about data subjects, in certain cases data subjects have the right to hold you to account by requesting explanations of those decisions and contesting them. You therefore need to find effective ways to provide information to data subjects about what you do with their personal information, and explain and review automated decisions.
The obligations that accountability places on you are ongoing – you cannot simply sign off a particular processing operation as ‘accountable’ and move on. You must review the measures you implement at appropriate intervals to ensure that they remain effective. You should update measures that are no longer fit for purpose. If you regularly change what you do with personal information, or the types of information that you collect, you should review and update your measures frequently, remembering to document what you do and why.