Almost one year ago, the Protection of Personal Information Act, 2013 (“POPIA”) came into force.

While some organisations appear to be content (and very likely complacent) about the effort they’ve invested to date to comply with POPIA, proactive organisations are now reflecting on the past year, and are strongly advised to:

  • assess whether the compliance measures they’ve taken to date meet the minimum requirements for compliance; and
  • establish what (if any) improvements can be made.

Many organisations have invested large amounts of time and money into their POPIA compliance. However, numerous organisations are still unsure as to what the “must-haves” or mandatory obligations are when it comes to compliance, and where they should now be focussing their attention.

Some organisations are also not sure whether the time and effort invested in their compliance initiatives to date meets the minimum requirements for compliance.

With POPIA’s first anniversary looming, a question which many organisations are beginning to ask is: “Have we done enough to comply?”. For such organisations, a data protection health check is prescribed.

Below, we briefly discuss current trends and challenges we’ve seen many organisations face so far.

Theoretical to operative compliance

Many organisations are able to demonstrate a good level of “theoretical” POPIA compliance set out in their policies. However, it is less clear whether what has been documented on paper has actually been implemented in practice and whether operative compliance has been achieved.

For example, a business may have a well-drafted data subject access request policy, but staff may not be trained adequately to identify a data subject access request or to distinguish it from a request for a record in terms of the Promotion of Access to Information Act, 2002 (“PAIA”) and employees fall victim to phishing attacks.

Lack of knowledge, governance and training

Many organisations have not yet appointed information officers (or registered these officers with the Information Regulator). In terms of POPIA read with PAIA, the chief executive officer or their equivalent would automatically be the information officer unless they authorise another person to act in this role.

Without leadership from a properly trained information officer and a suitable compliance framework in place, policies and procedures of a business are not sufficiently understood and implemented by the workforce.

Data breaches most often occur due to human error when people and teams are unaware of what they should be doing to ensure compliance. Training for the information officer and staff should be ongoing (we recommend yearly and upon induction) and should be practical, easy to understand and relevant to the roles of those being trained.

Lack of key documentation

Although many organisations have good policies in place, some organisations are still missing key documentation to evidence accountability in terms of POPIA.

For example, many organisations do not have a process for conducting personal information impact assessments or have policies or procedures in place to deal with data subject access requests.

Many organisations either do not have PAIA manuals in place or their manuals are outdated and do not take the changes into consideration brought about by the latest regulations promulgated in terms of PAIA.

In addition, existing incident response plans are often impractical and do not adequately address cyber insurance and the interaction between the notification requirements under POPIA and the Cybercrimes Act, 2020.

Data subject rights requests

Many organisations fail to understand the how to balance the rights to access information in terms of POPIA and PAIA and the grounds for refusal of such requests. This may lead to complaints to the Regulator.

Risk assessments

While POPIA requires that information officers conduct a preliminary risk assessment, the reality is that businesses evolve with time and risks assessments concluded a year ago often don’t reflect the reality of the organisation’s processing activities. This is a major compliance gap.