Data intensive businesses and POPIA
"My business processes and stores quite a large amount of information relating to our clients. We are well aware of POPIA that has now come into effect and have been putting basic processes in place. However, I remain concerned that we are not doing enough/underestimating our obligations. What should I be preparing for?"
As you have correctly noted, the Protection of Personal Information Act 4 of 2013 ("POPIA") has commenced with news of this reaching most businesses, including the fact that businesses have until 30 June 2021 to get their POPIA house in order or face the risk of being sanctioned for non-compliance.
That said, while most businesses to some extent process personal information, there are businesses, like yours, that process data on a large scale. So, what does this mean for these data intensive businesses?
The short answer is that the POPIA obligations on businesses are generally largely the same. What differs however is the implementation of these obligations. The reality is that the more data you process, the more comprehensive your POPIA implementation plan will have to be and the more resources need to be allocated to achieving compliance before 30 June 2021. Given that penalties for non-compliance may be quite severe, businesses that process large quantities of data, will need to use all the time available to ensure their POPIA compliance before the deadline, and then similarly allocate sufficient resources to reviewing and maintaining their compliance thereafter.
To ensure compliance a number of actions need to be taken by a business. Such actions include, among others: that the business have a POPIA policy; appoint a person or persons responsible for administering the policy; and ensure that training is provided to all relevant employees on the policy and its implementation.
For data intensive businesses this may require the formation of a task team with the mandate to formulate an appropriate POPIA policy for the business. Such task team would probably need to include legal, human resource, finance and information technology expertise.
For a start, the task team would have to conduct an internal audit, to assess where the business stands in relation to the various POPIA pillars of compliance. Once the status quo has been ascertained, the team can identify which actions are needed to attain and maintain POPIA compliance by the business.
Next the team would need to assess which policies, agreements and other documents will have to be amended or developed and then implemented within the business and its operations. Such implementation will have to provide for training to staff on new practices, procedures and documentation.
The task team will need to make sure that all aspects of the business is reviewed. This will also include assessing the involvement of third parties that you share information with or that may process information on your behalf and that the necessary agreements or undertakings are put in place with such third parties.
The task team will have a big job on its hands, particularly with a business that is data intensive. As such the team will need to move fast to have things in place by 30 June 2021, have a clear mandate and have the necessary expertise in order to ensure that what is rolled out is appropriate, implementable and compliant.