South African Parliament has shortlisted candidates for the Information Regulator and the provisions of the Protection of Personal Information Act, 2013 (POPIA), relating to the Information Regulator’s functions, are already in effect. The new POPIA revisions are already in effect, so organisations are strongly encouraged to consider what the implications of POPIA will be on the way in which they process personal information.
Businesses that collect, hold, transfer and use individuals’ personal information have to do so under certain conditions. POPIA is particularly relevant for employers as they will have certain obligations as the “responsible party”. The consequences of non-compliance with POPIA are significant and include hefty fines as an alternative to imprisonment. A fine will be in addition to the reputational damage an organisation will suffer as a result of failing to comply with POPIA.
In light of these developments, organisations are encouraged to take the following eight steps towards compliance with some of the provisions of POPIA:
1. Review standard terms and conditions of service where services involve the processing of personal data for a customer;
2. Develop standard clauses around data protection to include in agreements with service providers, for example, obligations on third parties to protect and safeguard personal information as well as indemnities in the case of a data breach;
3. Conduct an audit as to what personal information is held by the organisation, where this information is held and by whom this information is held;
4. Establish what personal information is collected in one place and transferred to another and whether the countries to which the personal information is transferred have adequate data protection laws in place;
5. Develop group-wide standard data protection policies and protocols if these are not already in place;
6. Review direct marketing activities;
7. Include appropriate consents to data processing in employment contracts and job application forms;
8. Appoint an information officer and deputy information officers for POPIA purposes.
If you, as an employer, want to avoid penalties, it is important to do everything you can to comply with the new POPI Act.
Written by Monique Jefferson, senior associate and Nadine Mather, associate, Employment and Benefits Practice, Bowmans