popi_compliance_monitoring

Overview

  • Accountability is one of the data protection conditions - it makes you responsible for complying with POPIA and this requires that you must be able to demonstrate your compliance.
  • You need to put in place appropriate technical and organisational measures to meet the requirements of accountability.
  • There are a number of measures that you can, and in some cases must, take including:
    • adopting and implementing compliance framework;
    • maintaining documentation of your processing activities;
    • carrying out personal information impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests;
    • putting written contracts in place with organisations that process personal information on your behalf;
    • implementing appropriate security measures;
    • recording and, where necessary, reporting personal information breaches; and
    • appointing an information officer.
  • Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.
  • If you implement a POPIA management framework this can help you embed your accountability measures and create a culture of privacy across your organisation.
  • Being accountable can help you to build trust with data subjects and may help you mitigate settlements and enforcement action.

 

Checklist

☐ We take responsibility for complying with POPIA, at the highest management level and throughout our organisation.

☐ We keep evidence of the steps we take to comply with POPIA.

We put in place appropriate technical and organisational measures, such as:

☐ adopting and implementing data protection policies (where proportionate);

☐  putting appropriate data protection measures in place throughout the entire life-cycle of our processing operations;

☐ putting written contracts in place with organisations that process personal information on our behalf;

☐ maintaining documentation of our processing activities;

☐ implementing appropriate security measures;

☐ recording and, where necessary, reporting personal information breaches;

☐ carrying out personal information impact assessments for uses of personal information that are likely to result in risk to data subjects’ interests;

☐ appointing an information officer; and

☐ adhering to relevant codes of conduct.

☐ We review and update our accountability measures at appropriate intervals.

 

Briefly

 

What's needed under POPIA?

One of the significant requirements of POPIA is accountability. The accountability condition that says responsible parties are responsible for compliance with the other conditions. You need to be proactive about data protection, and evidence the steps you take to meet your obligations and protect data subject’s rights.

 

What is accountability?

There are two key elements. First, the accountability condition makes it clear that responsible parties are responsible for complying with POPIA. Second, you must be able to demonstrate your compliance. 

 

Why is accountability important?

Taking responsibility for what you do with personal information, and demonstrating the steps you have taken to protect data subjects’ rights not only results in better legal compliance, it also offers you a competitive edge. Accountability is a real opportunity for you to show, and prove, how you respect data subjects' privacy. This can help you to develop and sustain data subjects' trust.                

Furthermore, if something does go wrong, then being able to show that you actively considered the risks and put in place measures and safeguards can help you provide mitigation against any potential enforcement action. On the other hand, if you can’t show good data protection practices, it may leave you open to settlements, fines and reputational damage.

 

What do we need to do?

Accountability is not a box-ticking exercise. Being responsible for compliance with POPIA means that you need to be proactive and organised about your approach to data protection, while demonstrating your compliance means that you must be able to evidence the steps you take to comply.

To achieve this, you must put in place a POPIA compliance framework. This can help you create a culture of commitment to data protection, by embedding systematic and demonstrable compliance across your organisation. Amongst other things, your framework should include:

  • program controls informed by the requirements of POPIA;
  • comprehensive but proportionate policies and procedures for handling personal data;
  • appropriate reporting structures;
  • assessment and evaluation procedures;
  • keep records of what you do and why; and
  • creating a good level of understanding and awareness of data protection amongst your staff.

Section 19 of POPIA says that:

  • you must implement technical and organisational measures;
  • the measures should be risk-based and proportionate; and
  • you need to review and update the measures as necessary.

While POPIA does not specify an exhaustive list of things you need to do to be accountable, it does set out several different measures you can take that will help you get there. These are summarised under the headings below, with links to the relevant parts of the guide. Some measures you are obliged to take and some are voluntary. It will differ depending on what personal data you have and what you do with it. These measures can form the basis of your programme controls if you opt to put in place a privacy management framework across your organisation.

 

Should we implement data protection policies?

Implementing data protection policies is one of the measures you can take to ensure, and demonstrate, compliance. POPIA doesn't explicitly state policies are required however they can be a useful governance mechanism.

What you have policies for, and their level of detail, depends on what you do with personal information. If, for instance, you handle large volumes of personal information, or particularly sensitive information such as special category data, then you should take greater care to ensure that your policies are effective.

As well as drafting data protection policies, you should also be able to show that you have implemented through appropriate procedures and practices, and adhered to them. This should also consider raising awareness, training, monitoring and audits.

 

Should we adopt a ‘data protection by design and default’ approach?

Privacy by design has long been seen as a good practice approach when designing new products, processes and systems that use personal data. 

Data protection by design and default is an integral element of being accountable. It is about considering the rights of data subjects in everything you do, and embedding data protection throughout all your processing operations. Measures that may be appropriate such as minimising the data you collect, applying pseudonymisation techniques, and improving security features.

Integrating data protection considerations into your operations helps you to comply with your obligations, while documenting the decisions you take (often in personal information impact assessments) demonstrates this.

 

Do we need to use contracts?

Whenever a responsible party uses an operator to handle personal information on their behalf, it needs to put in place a written contract that sets out each party’s responsibilities and liabilities.

Contracts must include certain specific terms as a minimum, such as requiring the operator to take appropriate measures to ensure the security of processing and obliging it to assist the responsible party in allowing data subjects to exercise their rights under POPIA.

Using clear and comprehensive contracts with your operators helps to ensure that everyone understands their data protection obligations and is a good way to demonstrate this formally.

 

What documentation should we maintain?

Under Section 17 of POPIA, responsible parties are required to maintain a record of their processing operations, covering areas such as processing purposes, data sharing and retention.

Documenting this information is a great way to take stock of what you do with personal information. Knowing what information you have, where it is and what you do with it makes it much easier for you to comply with other aspects of POPIA such as making sure that the information you hold about data subjects is accurate and secure.

As well as your record of processing operations under Section 17, you also need to document other things to show your compliance with POPIA. For instance, you need to keep records of consent and any personal information breaches.

 

What security measures should we put in place?

POPIA requires the implementation of technical and organisational measures to protect personal information. These measures should ensure a level of security appropriate to the risk to data subjects.

You need to implement security measures if you are handling any type of personal information, but what you put in place depends on the impact on data subjects. You need to ensure the confidentiality, integrity and availability of the systems and services you use to process personal information.

Amongst other things, this may include physical security, environmental security, computing resource protection, information security, access controls, security monitoring, and disaster recovery plans.

 

How do we record and report personal information breaches?

You must report personal information breaches to the Information Regulator, and in some circumstances, to the affected data subjects as well.

You need to be able to detect, investigate, report (both internally and externally) and document any breaches. Having robust policies, procedures and reporting structures helps you do this.

 

Should we carry out personal information impact assessments (PIIAs)?

A PIIA is an essential accountability tool and a key part of taking data protection seriously. It helps you to identify and minimise the data protection risks of any new projects you undertake.

A PIIA is a legal requirement that should be conducted before carrying out processing likely to result in risk to data subjects’ interests.

When done properly, a PIIA helps you assess how to comply with the requirements of POPIA, while also acting as documented evidence of your decision-making and the steps you took.

 

Should we assign an information officer? 

All organisations are required to appoint an information officer. By default it is the CEO or equivalent position. However, the CEO can appoint and authorise an independent person to perform the duties of an information officer, including advising you about POPIA, monitoring compliance and training staff.

Your information officer must report to your highest level of management, operate independently, and have adequate resources to carry out their tasks.

It is very important that you have sufficient staff, skills, and appropriate reporting structures in place to meet your obligations under POPIA and PAIA.

 

Should we adhere to codes of conduct?

Under POPIA, trade associations and representative bodies may draw up codes of conduct covering topics such as fair and transparent processing, and the exercise of data subject’s rights.                              

 

What else should we consider?

The above measures can help to support an accountable approach to data protection, but it is not limited to these. You need to be able to prove what steps you have taken to comply. In practice this means keeping records of what you do and justifying your decisions.

Example

A company wants to use the personal information it holds for a new purpose. It carries out an assessment in line with Section 15(2) of POPIA, and determines that the new purpose is compatible with the original purpose for which it collected the personal data. Although this provision of POPIA does not specify that the company must document its compatibility assessment, it knows that to be accountable, it needs to be able to prove that their handling of personal information is compliant with POPIA. The company therefore keeps a record of the compatibility assessment, including its rationale for the decision and the appropriate safeguards it put in place.

Accountability is not just about being answerable to the regulator; you must also demonstrate your compliance to data subjects. Amongst other things, data subjects have the right to be informed about what personal information you collect, why you use it and who you share it with. Additionally, if you use techniques such as artificial intelligence and machine learning to make decisions about data subjects, in certain cases data subjects have the right to hold you to account by requesting explanations of those decisions and contesting them. You therefore need to find effective ways to provide information to data subjects about what you do with their personal information, and explain and review automated decisions.

The obligations that accountability places on you are ongoing – you cannot simply sign off a particular processing operation as ‘accountable’ and move on. You must review the measures you implement at appropriate intervals to ensure that they remain effective. You should update measures that are no longer fit for purpose. If you regularly change what you do with personal information, or the types of information that you collect, you should review and update your measures frequently, remembering to document what you do and why.