10 Steps to POPI Act Compliance Checklist
Almost all organisations are faced with the challenge of achieving and maintaining compliance with the Protection of Personal Information Act No. 4 of 2013 (POPI Act). This handy checklist provides a proven step-by-step forty-action-point approach to compliance.
1. Formalise your POPI Act compliance project
- Identify your relevant stakeholders.
- Identify your project sponsor.
- Identify your project manager.
- Set high level scope, timescale, and budget.
2. Appoint an Information Officer
- Ensure alignment between your Promotion of Access to Information Act (PAIA) and POPI Information Officer (IO)
- Decide whether the CEO can fulfill the POPI Information Officer function or if he or she needs a Deputy/Deputies.
- Agree Information Officer and/ or Deputy Information Oficcer roles and responsibilities
- Complete the formal appointment process.
3. Perform a gap analysis versus the POPI Act
- Set meantime and final targets for compliance with the POPI Act. This does not mean diligently shooting for 100% regardless of costs and benefits.
- Engage with stakeholders in the assessment.
- Use an evidence-based approach.
- Use the assessments for ongoing compliance monitoring.
4. Analyse what and how Personal Information is processed.
- Use a broad definition of record types as per the POPI Act (e.g. CCTV, biometric).
- Look at the aspects as required by the POPI Act (including consent, purpose, source, sharing, and destruction).
- Take into consideration the rights of the user.
- Think carefully when deciding on the types of devices to use to store data.
5. Implement POPI Act compliance policies
- Review existing relevant policies.
- Ensure your policies are reasonable and appropriate.
- Make sure your policies are enforceable.
- Design your Privacy Notices for different groups in the organisation.
6. Review your websites
- Develop your checklist of what to review.
- Agree the rating scheme to be used.
- Use the opportunity to implement best practice such as Cookie notifications.
- Develop and implement your remediation plan.
7. Create your Promotion of Access to Information Act manual (PAIA)
- Confirm your organisation needs a Promotion of Access to Information Act (PAIA) manual.
- Confirm whether you are a Public or Private Body as per the PAIA
- Review the proposed contents of your manual
- Ensure your PAIA manual follows the prescribed layout and includes the necessary details
8. Implement POPI compliant PI management processes
- Look at the PI lifecycle: including acquisition, processing, retention, and destruction practices.
- Develop reasonable and appropriate measures to ensure ongoing compliance.
- These could include self-assessments, health-checks, and formal audits.
- Develop your own standards for compliance.
9. Train stakeholders about their roles in POPI Act compliance
- Design training according to their needs
- Ensure you treat user education not as a once-off series of activities but part of an ongoing commitment
- Leverage diverse training methods, including self-study, online, classroom, audio and video.
- Look to special needs such as the IO/DIO roles.
10. Make POPI Act compliance “Business-As-Usual”
- Recognise that POPI Act compliance will be the “new normal” and work that way.
- Build compliance into your products, services and processes.
- Ensure ongoing monitoring of the data protection.
- Build POPI into your everyday operations.
So in a nutshell, the purpose of the POPI Act is to ensure and enforce compliance from all South African institutions by holding them accountable if they mistreat people’s personal information or if they become irresponsible with the collecting, processing, storing and sharing of such information.