Compliance Starts With Understanding
#POPIASimplified – Episode 1
Under the Protection of Personal Information Act (POPIA), it is required that a responsible party ensures that the conditions and measures set out for processing personal information are complied with prior to, and during processing [1]. This requirement of accountability is the 1st of 8 conditions that organisations need to comply with.
“Wait a second, what on earth did I just read?”, may be running through your mind right now; and we don’t blame you. The reason for this new series is to not only break down POPIA into digestible information, but also to explore the solutions.
It’s imperative that companies understand what’s changed and how they can be liable. “Not knowing” won’t go down as a reason in court for violating this Act and we hope this series will serve you and your company, in understanding one of the most important changes taking place in South Africa’s digital world as we know it.
Some of the words used in this first condition may already raise a few questions like:
- What qualifies as ‘personal information’?
- What does ‘processing’ mean?
- Who is the ‘responsible party’?
What ‘conditions and measures’ need to be complied with and how do you go about doing so?
Before anxiety starts creeping into your mind, let’s break it down:
- Personal Information pertains to any information that can identify a living natural person such as a person’s identification number, email address, phone number, or home address.
- Processing refers to when personal information is either collected, organised, stored, retrieved, distributed, transmitted or destroyed; whether via manual (human) or automatic (computer) operations.
- The Responsible Party means a public or private body that determines the purpose for and means for processing personal information. It refers to the party that controls the personal information and makes all decisions related to it, even if it may not be the party processing the data. Despite not actually processing the information, it still remains ultimately accountable[2]. All in all, your company is the responsible party for all your client’s stored information, even if you use an external company to process that information for you.
Conditions and Measures are like the rules you must follow by law to ensure your organization is compliant with the POPIA. Personal Information can only be processed if done in accordance with 8 processing conditions, which include having a purpose for processing personal information, limiting such processing, ensuring data quality of personal information, and doing so in a transparent manner, with the appropriate security safeguards in place. Over the next few weeks we will look at each of the 8 conditions in detail [3].
“See? That wasn’t so bad!”, is what we’re hoping is running through your mind now that we’ve covered the first condition and some basic definitions. But just in case, let’s take it one step further.
Let’s say for example you qualify as a responsible party and are responsible for the processing of personal information of your customers, there is no shortage of information on how you need to process this information of course, but do all digital platforms adhere to these strict regulations?
Glad you asked. Not all platforms necessarily do and it’s ultimately your company’s responsibility to ensure that your organisation complies with this accountability obligation.
It all starts by having a good digital platform that focuses on data security and management at its core, and allows you to be compliant without too much admin or without having to launch a whole POPIA compliance project and taskforce. Combining our years (without giving away our age) of both legal and tech experience, our recommendation would be a renowned platform such as Salesforce.
While we can write a book on why this is our opinion, lets try and stick to 6 reasons why this platform is the leader in keeping personal information safe and secure:
- All data on Salesforce is secure, utilizing the most advanced technology available, using both server authentication (which authenticates your users’ credentials that in turn let them access your various services) and data encryption (your precious information is scrambled in a way that it cannot be read without the correct encryption key, making it impossible to decipher without having permission) [4].
- Given that the platform is known for its flexibility, it can store personal information of any size company, in any industry; irrespective of customisations made on the platform. Whether you use out-of-the-box features or reinvent the wheel, you can be rest assured that the data management security functions are not compromised [5].
- Salesforce is built to comply with strict data and privacy laws and regulations (at times more strict than POPIA), such as US privacy laws, and GDPR in Europe, which were in existence before POPIA came along. Irrespective of the region, data regulations have the same principle in common: creating conditions for accessing and using personal information. What makes Salesforce great is that, for a few years they have already placed a big emphasis on data privacy and security [6].
- Your data is securely stored. Salesforce was arguably the mainstream pioneer of cloud computing and data storage and by implication, they have the most experience in it too. They pride themselves in their data center strategy fundamentally based on security, trust and reliability. For example, your data is always stored in more than one data centre, to avoid a single point of failure in their infrastructure [7].
- Backups. To add another layer of accountability, Salesforce has a powerful backup functionality that allows you to schedule and automatically generate a backup of your data on a weekly or monthly basis [8]. We’ve all been there, typing out an entire document only to have something happen outside of your control and VOILA! The entire document is gone with no trace, and because destruction by automated means could qualify as processing, this is not something you want to happen. Automated backups are a welcomed addition.
- Salesforce does not review, share, distribute, print, or reference any of the data hosted on their platforms [9].
We totally get it: complying with all of the conditions that POPIA sets out can be overwhelming, but the starting point is to get a foundation up and running that complies with the basic processing conditions, which will allow you to be compliant without trying too hard, and not to mention to avoid a 10 year prison sentence and R10 000 000 fine [10]. We don’t know about you, but we’d rather be out fishing, with peace of mind that we’re 100% compliant, than be stuck in a POPIA conundrum.
If you’d also rather be out fishing with peace of mind that your company is 100% compliant than be stuck in a POPIA conundrum, do get in touch, we are here to help and answer all your questions.
Until then, follow us as we explore the world of POPIA and the tools that exist to make your life easier and allow you to focus on growing and managing your business.
Source(s):
- Protection of Personal Information Act 4 of 2013, S8.
- https://dommisseattorneys.co.za/blog/popia-responsible-parties-operators/
- Act 4 of 2013, S1.
- https://help.salesforce.com/articleView?id=000325217&type=1&mode=1
- https://www.bullhorn.com/eu/blog/2016/08/the-5-benefits-of-salesforce/
- https://help.salesforce.com/articleView?id=sf.data_protection_and_privacy.htm&type=5
- https://help.salesforce.com/articleView?id=000314281&type=1&mode=1; https://nira.com/salesforce-history/
- https://help.salesforce.com/articleView?id=000325217&type=1&mode=1
- https://help.salesforce.com/articleView?id=000325217&type=1&mode=1
- https://www.businessinsider.co.za/popia-what-your-business-needs-to-do-2021-3
Interested to know more? Leave your details below: