Establishing Compliance Under South Africa’s Data Protection Regulation
The Protection of Personal Information Act (POPIA) took effect in South Africa in July 2021, following a lengthy revision process and a one-year grace period for organisations to become compliant. POPIA brings South Africa’s data landscape into alignment with a growing number of jurisdictions that have adopted stringent data protection regulations resembling Europe’s General Data Protection Regulation (GDPR).
The law comes into force as organisations in South Africa face mounting pressure across investigations, cybersecurity, data risk and rapid acceleration of digitalisation. According to FTI Consulting’s Resilience Barometer, 30% of large organisations experienced a data privacy issue in the last year and 30% also cited data privacy as a top area of concern for which they expect to be investigated in the coming 12 months.
While organisations in South Africa have had a year to understand the changes and to establish compliance, building and operationalising a comprehensive and sustainable compliance programme requires significant time and detailed planning. In addition to standing up new policies and procedures to reduce the risk of a POPIA violation, organisations must also account for crossover provisions from the Consumer Protection Act 2008, the Cybercrimes Act 2020 and other existing information and technology governance standards and requirements, such as those outlined in the King Report of Corporate Governance for South Africa.
Organisations in South Africa should implement several key practices to enforce stronger data privacy and bring their operations into compliance with the full scope of existing law. These include:
POPIA requires organisations to maintain documentation for all data processing operations under that organisation’s responsibility. To meet responsibilities, organisations should develop an inventory, also referred to as a data map or records of processing activities, to capture how data is processed and flows through its lifecycle from the point of collection through sharing, storage and deletion.
Data mapping is an essential activity that should encompass and draw upon the knowledge of all business units across the organisation. It should not be viewed merely as a tick-box exercise, but rather as an opportunity for an organisation to understand its data, optimise its use and identify gaps in data protection practices. A detailed data map will also help an organisation drill down into international data flows and identify where sensitive data resides.
South African organisations are now required to appoint an Information Officer to oversee compliance activities including the data protection compliance framework, the management of data subject rights requests and the provision of staff training and awareness. Under POPIA, Information Officers perform an important role in building and maintaining compliance, and are expected to act as a conduit between staff and executives to communicate, escalate and report on risks. This is especially true for Information Officers of public organisations, which are required to submit annual reports identifying how many data requests they’ve received from individuals, along with other data privacy programme metrics.
POPIA also addresses the appointment of Deputy Information Officers, which can be useful in helping large, multi-national and/or highly regulated organisations to fulfil data protection obligations and reduce the burden on the Information Officer.
Data Subject Rights
Like GDPR, POPIA provides individuals with rights in relation to their data, including the right to access copies of their data and to request the deletion of their data (known as the right to be forgotten under GDPR). To comply with these new rights requirements, organisations should implement policies and procedures outlining the steps internal teams must action to fulfil a request. These policies and procedures should identify the responsibilities of individuals and teams involved in fulfilling data subject rights. For instance, IT teams will be responsible for searching and retrieving data, while the Information Officer will be responsible for approving requests before they are sent externally.
Organisations that may be subject to frequent and particularly burdensome data subject requests should consider whether privacy and security software can be used to automate large parts of the request process. This technology can also be used to perform some elements of the other requirements identified.
Data Protection Impact Assessments
Organisations that determine why and how personal data is processed will be expected to conduct data protection impact assessments to identify any potential risks involved in the processing of personal data, and to ensure that sufficient controls and measures exist to protect it. If risks are identified, mitigation measures should be documented, along with a treatment plan to ensure that risks are remediated. In many cases, the Information Officer should take responsibility for driving the treatment plan with support from legal and IT teams.
Over-retention of data is ubiquitous and a business risk that is often overlooked until an issue arises. Under POPIA, organisations will be expected to remove data that is no longer needed for the original purpose for which it was collected. The data map is an especially useful resource in meeting retention and deletion requirements as it can help teams quickly identify data and determine the purpose and timelines surrounding it. However, to successfully facilitate compliant data retention, organisations should implement detailed retention and data deletion policies aligning with sectoral retention requirements. In addition to enabling compliance with POPIA requirements, defensible retention and deletion practices can help an organisation reduce data storage costs and reduce the surface of its exposure in the event of a breach.
Organisations are now accountable for issuing breach notifications when there are reasonable grounds to believe that personal information may have been accessed by an individual without authorisation. Organisations are responsible for notifying both the Information Regulator and affected data subjects, with data subject notification required as soon as reasonably possible after discovery of a breach.
When notifying data subjects, organisations must provide sufficient details about the breach and the format of the notifications should be made in writing, communicated via email, placed on the website of the responsible party, announced in news media and as otherwise stipulated by the Information Regulator.
Operators, defined as any party processing data on behalf of a responsible party, are also required to notify the responsible party immediately if a breach is suspected.
It is clear that organisations have a number of responsibilities for breach notification under POPIA. To respond to the strict timelines, organisations should seek to create robust data breach policies that define the steps involved in responding to a breach and the stakeholders involved, including both internal and external individuals.
Training and Awareness
Training and awareness are fundamental to any change management program and provide the foundation from which organisations can generate a lasting culture of compliance. Information Officers should ensure that data protection and security training is provided as part of the onboarding process and provided to employees on an annual basis to reduce risks and support employees in participating in a culture of privacy.
In conclusion, with 37% of companies anticipating media scrutiny on data privacy compliance, it is imperative that organisations look to implement measures to mitigate against data protection and security risks. Organisations based in South Africa, or those conducting business with South African companies and data subjects, need to ensure that they build an ongoing, durable and scalable solution to ensure their ongoing compliance with POPIA. As organisations grow and change, their ability to meet compliance obligations will also change—thus data protection and privacy compliance must not be viewed as a one-stop exercise, but rather an ongoing, evolutionary practice.
Most organisations will likely either lack internal resources to operationalise POPIA effectively and/or face significant obstacles relating to legacy data storage practices and technology. Nevertheless, taking proactive steps to implement the practices outlined above will be critical in reducing compliance risk, narrowing the scope for negative media scrutiny or reputational harm and supporting a culture of trust that will drive competitive differentiation and greater business value.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.