Compliance Framework and Monitoring System
Compliance monitoring is a key component of an effective POPIA implementation and maintenance program. Compliance monitoring is a specific requirement of POPIA (regulation 4(a)) but has not been well defined, leaving many information officers at a disadvantage in understanding how to effectively fulfil their responsibilities. Our 'POPIA Compliance solution and monitoring system' provides information officers with clear guidance on what is required to comply and an automated system with which to monitor and maintain compliance.
This automated legal register provides the answers to what are the legal requirements of South African legislation responsible parties have to comply with and an understanding of how these “legal compliance obligations” apply to their organisations. This information is needed when assessing the lawful nature of processing operations and to update the PAIA manual with the requirements of the POPI Act.
Data Flow Analysis (a. k. a. data mapping)
Data-flow analysis is a technique used by information officers to understand the processing of personal information, identify the data elements and safeguards used to protect personal information at each step of the processing. This technique is a non-intrusive approach to identifying personal information processed within processing operations.
Record of Processing Operations
POPIA requires that all processing operations be documented. This will ensure the information the Information Regulator may require when investigating a complaint or a data subject will need to formulate an objection or complaint, is available without any delay. Details of processing operations will also be of assistance to responsible parties when assessing risks and determining which are the most appropriate measures to counter the risks.
POPIA Process Assessor
A structured, automated process is used to collect and record the information needed to assess compliance with the conditions for the lawful processing of personal information. Guidance is provided to assist the assessor properly assess compliance.
Personal Information Impact Assessment
Personal information impact assessments (PIIA) are a requirement of POPIA regulation (4(b)). The PIIA is a process to help responsible parties identify and minimise the data protection risks of a project, process, system, service or product. The POPIA compliance solution provides an automated process and templates to guide the responsible party through the assessment process and produce an adequately documented summary of the risks and suitable counter-measures to limit the potential harm to data subjects.
Register of Privacy Notices
Privacy notices and statements are a requirement of POPIA to ensure data subjects are aware of how their personal information will be processed. Over time, business processes and the need for privacy notices and statements change. It is therefore necessary to keep control over the information being provided to data subjects, as well as changes thereto. Version control and a record retention schedule for the privacy notices should be established and a register of notices maintained electronically.
Data Subject Request Handler
POPIA gives data subjects many rights, including the right to:
- Information request
- Access request
- Correction request
- Destruction request
- Restriction request
- Assurance request
- Change notification request
- Direct marketing request
- Objection to processing
- Consent withdrawal
Structured, automated processes are implemented to enable data subjects to make requests, object to processing and withdraw consent. These actions are forwarded to the information officer for responses.
POPIA Consent Manager
If a responsible party finds that the consent previously obtained from data subject does not meet the requirements of POPIA or that it does not hold sufficient proof of the consent it has received, the responsible must refresh the consent it holds so that it is valid for future processing of personal information.
Direct Marketing Consent Requester
Prior to approaching data subjects for the purpose of direct marketing, the responsible party must first obtain consent from the data subject using the official for for this purpose. The POPIA compliance solution is used to request consent using an electronic version of the prescribed form.
Vendor Contract Manager
POPIA requires that responsible parties must, in terms of a written contract between the responsible party and the operator, ensure that the operator which processes personal information for the responsible party establishes and maintains the security measures required to protect the processing of personal information. A register of contracts with operators provides a central electronic repository for the contracts and enables easy review of adherence to the contractual obligations.
Data Subject Notifier
When personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of the information being collected and where the information is not collected from the data subject, the source from which it is collected. An automated process is used to fulfil the POPIA notification obligations.
Personal Information Classification
POPIA requires that responsible parties establish and maintain appropriate safeguards against the risks to data subjects. A personal information classification scheme provides a reliable and consistent approach to establish and maintain appropriate safeguards to protect personal information.
Data Protection Vulnerability Assessor
Responsible parties are required to take reasonable measures to regularly verify that the safeguards are effectively implemented. A centralised repository of assessment programmes is developed and maintained to evaluate vulnerabilities.
Operator Compliance Verification
The responsible party must obtain sufficient guarantees from their operators that they can meet the Regulation's requirements and ensure the protection of the rights of the data subject. Responsible parties must also verify their operators compliance with their contractual and legal obligations.
Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive. This requirement also applies to record retention. Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed.
A responsible party must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record.
Preparing for a data protection incident by creating policies and procedures, and ensuring everyone is aware of the process to respond to an incident will go a long way in establishing a base from which to work when a data protection incident or breach occurs. A predefined, automated workflow and templates are used to assist responsible parties respond to data protection incidents.
Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify to the Information Regulator and data subjects as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. A predefined, automated workflow and templates are used to assist responsible parties notify the Regulator and data subjects.
eLearning is used for internal awareness sessions conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator. Student attendance and successful completion of sessions is managed. (www.popiatraining.co.za)
Prior Authorisation Requests
Responsible parties must notify the Information Regulator of high risk processing which is subject to prior authorisation, prior to any processing, and wait until the authorisation is received from the Regulator.
A request for authorisation will necessitate that the Information Regulator investigate the planned processing. Responsible parties will need to prepare for these investigations, or risk being denied authorisaton. Consequently, responsible parties need to be prepared for these investigations. A predefined, automated workflow and templates are used to assist responsible parties prepare prior authorisation requests.
Information Officer Services
As experienced data protection professionals, we are well positioned to give private and public bodies by:
- giving reliable advice and encourage responsible parties to correctly comply with the conditions for the lawful processing of personal information,
- dealing with requests made by data subjects efficiently and correctly, and
- assisting the Information Regulator with its investigations into interference with data subject rights and instances of non-compliance with the Act.