POPI Act implementation at the Airports Company of South Africa
Compliance with the Protection of Personal Information Act (POPIA) can provide your business with a competitive edge or place it at a huge risk. With the deadline looming, organisations are scrambling to ensure compliance so that they can avoid being liable for administrative fines of up to R10 million; avoid a civil action lawsuit and/or a prison term as custodians of personal information.
Portia Simelane, Group Manager: IT Governance and Resilience at the Airports Company of South Africa, will share her story on the implementation of POPIA at the company at the ITWeb Governance, Risk and Compliance 2018 on 20 February.
ITWeb: What is POPIA? And how will it affect businesses in South Africa?
Simelane: POPIA refers to South Africa's Protection of Personal Information Act which was signed into law by the president in 2013. POPIA aims to regulate the way personal information is collected, processed, stored, and used by public and private entities, as well as natural persons; what the Act generally refers to as data subjects.
All businesses in South Africa will be compelled to comply with the Act should they process personal information; they will need to ensure that when they do so it is in line with the eight conditions prescribed in the Act. For many businesses this could mean a complete overhaul of how they do their business in relation to the personal information in their possession. Although a compliance burden, it can also be seen in a positive light as an advantage for companies as the privacy of their respective data subjects improves trust, which generally translates to good business dealings.
ITWeb: Can you tell us a little about ACSA's journey in implementing the Protection of Personal Information Act?
Simelane: ACSA's journey towards compliance started in 2014; the first step was to train key personnel in the organisation on POPIA and the implications of POPIA for ACSA. A project was simultaneously initiated. The team was made up of business analysts, a project managers and key staff members who are referred to as POPIA champions. In rolling out the project, the first step ACSA undertook was to conduct an organisation-wide analysis of the state of the processing of personal information in relation to the conditions of the Act at the time. Organisational processes were analysed to understand the processes that will be impacted by the Act. Each process was mapped against the eight conditions to identify gaps. The analysis or readiness assessment was used to establish how ready the organisation was to comply with each condition. For significant areas of exposure, recommendations were proposed and implementation plans per department have been developed. The project team is in the process of assisting the POPIA Champions of the business units with the implementation of the proposed recommendations.
In parallel with the readiness assessment, the project team developed the POPIA governance toolkit; this includes a POPI policy, procedure manual, incident forms, privacy statement and relevant consent clauses. Establishing the governance is critical as it formally allows for the enforcement of compliance across the whole organisation. Existing policies were updated to ensure alignment and compliance with the POPIA Policy.
The rollout of the project is still underway, ACSA hopes to be compliant with the ACT by the time the Regulator announces the start date.
ITWeb: In your opinion, what will the positioning of the Information Officer look like in the future?
Simelane: In my opinion, the Information Officer (IO) role will be a critical role that could potentially reside within the Corporate Governance and Compliance space. The IO will play a key enterprise wide role within the organisation. This role would ideally not exist in isolation but work in a collaborative way with the likes of enterprise security, IT security, records management, data governance management to name but a few. The IO would need to be part of key management committees to stay abreast of all changes relating to the processing of personal information or new information being introduced into the environment; thus, this role will be very influential.
I believe that the Information Officer will be best positioned in the compliance area; as the Act needs to be enforced and compliance of the Act needs to be monitored on an ongoing basis; and this area is best suited to do so.
ITWeb: What top three key points would you like to leave the delegates with from your upcoming presentation?
Simelane: Take time to thoroughly assess the organisation and identify areas of exposure. In my experience many of the areas of concern are likely to be similar across the organisation. However, this can only be ascertained and confirmed once the organisation has been assessed. When conducting the analysis, start with the high priority areas or functions where the organisation will be most exposed by virtue of the volume of personal information processed in those areas i.e. human resources, procurement, core operations etc.
Secondly, one needs to ensure that the governance is in place early in the implementation and ensure awareness training is provided. Awareness training of the Act and the relevant organisational policies and procedures are key to ensuring that staff are aware of what is expected of them and how they should handle personal information.
Lastly, compliance with POPIA is not a quick fix; it is a journey that requires significant cultural and behavioural change; thus significant Change Management is required throughout the lifecycle of the project and post implementation.