With COVID-19 dominating the headlines, it’s no surprise that many of us may have missed last month’s proclamation bringing additional sections of the Protection of Personal Information Act (PoPIA) into operation.

The sections of the Act that came into force on 1 July 2020 are sections 2 to 38; sections 55 to 109; section 111 and section 114(1), (2) and (3), while sections 110 and 114(4) will come into play on 30 June 2021.

Conditions for Lawful Processing

These are the essential sections of the Act that deal with, amongst others, the conditions for lawful processing of (and limitations on further processing) personal information; provisions regulating direct marketing; procedures for dealing with complaints; and general enforcement of the Act.

Whilst the Act was passed in 2013, its implementation has taken an incremental course, with various delays, meaning that many of us have taken a “head in the sand” approach and are now left with a lot to do in the one-year’s grace period.

Parallels can be drawn with the European Union, where corporations had a two-year period to become compliant with the similar Global Data Protection Regulation (GDPR). Many missed the initial deadline.

A top-down approach to operationalise PoPIA

Operationalising PoPIA is in many ways a data management challenge.

Organisations must identify where personal data resides in their organisation, who is responsible for it, and whether it is being used in accordance with conditions for lawful processing.

A key lesson that should be learnt from the GDPR experience is that a bottom-up approach – starting at the data attribute level – is overwhelming.

If we assume that it takes 5 minutes to accurately classify a single attribute, it will take 4.5 years to classify 100000 attributes. This may sound like a long time, but large organisations may eventually need to classify and regulate the use of millions of personal data attributes. This approach cannot possibly be delivered in the 12-month grace period.

Best practices to operationalise PoPIA

A May 2018 GDPR survey pointed to several best practices that are relevant to operationalising PoPIA

1. Cover all four pillars: People, Process, Technology, and Data
2. Use a top-down approach to ensure results can be sustained
   1. GDPR / PoPIA are principle-based
   2. GDPR / PoPIA are about the responsible use of data
   3. People use data, through processes that are enabled by technology
3. Involve everyone: It’s tempting when talking about data management to assume this is an IT problem only. In practice, data privacy regulations need board-level sponsorship and coordination, and joint leadership from legal, IT, HR and other business stakeholders

A top-down approach, supported by technology, is essential to automate key processes and provide an audit trail of decisions made.

Getting started is easy:

• Identify stakeholders and clarify their roles and responsibilities.
• Inventory how data moves across and beyond your organization.
• Assess what data and processes pose risks to the rights of the data subject.
• Put controls and safeguards in place to address those risks.

Given the timelines and available resources a triage approach may be necessary – ensuring complete compliance for high-risk / high-value processes and datasets by the deadline, and phasing in lower-risk datasets, systems and processes over time. Legal advice should, of course, be taken with respect to this approach.

Master Data Management provides a methodology and a number of tools to reduce the complexity of achieving PoPIA compliance, leveraging the lessons learned in Europe with GDPR.

Contact us at +2711 485 4856 for more information