1. Written appointment of the Information Officer (IO) unless it is the Chief Executive in which case the appointment is automatic by law. Also, appoint Deputy IOs if you believe this is necessary.
  2. Register the IO and DIO on the Information Regulator (IR) website and get your certificate of registration.
  3. Draft/ update your POPI policy and practice manual.
  4. Draft an Incident Response Plan (i.e. a plan that explains what happens if the Personal Information (PI) under your or your “operator’s” management and control is compromised).
  5. Draft/update your Privacy Policy for your website and business.
  6. Set up training sessions for your managers and staff who process PI and at the training ensure that: (i) you have an attendance register. (ii) you have them sign the Annexure to the Employment Contract on POPI, and (iii) you hand out the POPI policy for their reference.
  7. Ensure your s51 PAIA manual is crafted and posted on your website.
  8. Identify all “operators” as defined and ensure you enter into/obtain their contractual terms relating to POPI. Remember at least two matters must be addressed in that POPI contract with the “operator”:

(i) the operator must warrant that it complies with POPI and related PI statute, and
(ii) that it will immediately advise you if the information you provided to the operator is compromised whilst in the hands of the operator.

This is because YOU will have to report the data breach to the Regulator and contact the impacted data subjects.

  1. Data subject participation: Remember that ALL previous, current and past suppliers, employees and clients/ customers have the right under POPI to participate in their data which basically means they must have a simple and effective channel (recorded by the employer) that allows them to contact the IO/ DIO to request UPDATE, DELETION, DESTRUCTION, OBJECTION, COMPLAINS, OPTING IN (for e-marketing purposes).

Remember that from 1 July 2021 all new data subjects must give their permission for e-direct marketing before you send out marketing collateral.

  1. I highly recommend you list all systems, tech and programmes you use and have your IT department give written assurance that all is in order – firewalls, anti-virus, user access, back-ups, encryption, etc.
  2. Finally, an impact assessment matrix that requires each function to identify processes that they engage in that process PI and then to ensure the systems and staff conduct is up to scratch. If any PI is sent outside of SA borders, Special PI is dealt with or under 18-year data subjects that the necessary POPI provisions are complied with.

If you have any questions about the above, please contact John Botha on [email protected].