Why it is vital that companies practically understand POPI and the consequences of not doing so now.

It is important to do a high-level analysis of the personal information in your company before embarking on the POPI implementation journey. Companies should be doing this now and not waiting for the long-anticipated commencement date.

Organisations should have already started to identify the risk areas and be working on these. Alongside this activity, there should be a task team that takes on the responsibility for POPI compliance and readiness.

There are many misconceptions surrounding POPI. Many people do not even realise that POPI is not yet properly in force. Organisations need to understand when POPI will apply to them, and when not. If they understand how POPI works, they can adapt their processes accordingly.

Some organisations will be able to remove some of their activities from POPI’s reach by making simple changes. For example, if data falls outside the definition of “personal information”, the relevant data will not be covered by POPI’s provisions. Accordingly, some organisation can change their data-gathering habits to avoid collecting data that constitutes personal information.

So what are the three key factors to consider when preparing for POPI?

  1. Determine what kind of personal information you are processing and why you are processing it.
  2. Accept that POPI compliance is necessary to avoid fines and reputation damage, but that it can also make your business more efficient and streamlined.
  3. It will be important to raise awareness in your organisation. It makes it easier if people in your business are familiar with POPI’s requirements and know where the issues lie.

For organisations that retain large quantities of personal data, identify the various types of information being collected and retained. Decide whether you can limit your collection and retention practices. Determine whether you need all the information currently being retained and whether some of it can be deleted.