How to ‘POPI-proof’ your payroll

The Protection of Personal Information Act (POPIA) is based on eight principles and measures that need to be implemented in order to control information gathered on customers and employees.

These are accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation.

When it comes to payroll, all of these principles are important, but in this industry there are several areas that are critical.

Firstly, the information any company collects on its employees must be strictly used for its original purpose, unless there is another legal requirement that would necessitate the organisation processing the information any further, or if the company obtains permission from said employee for one reason or another.

Very importantly in terms of the Act and how it affects the payroll department, is the safe storing of data. In this instance, payroll and HR need to ensure all information is accessible only by those who have legitimate access to it, and also guarantee that it is not lost, accidentally deleted, or exposed in the event of a data breach or another security incident.

Very importantly in terms of the Act and how it affects the payroll department, is the safe storing of data.

So what are the steps needed to ‘POPI-proof’ your payroll? It is important to realise there is a lot to do when it comes to the POPIA:

1. Make sure you understand the POPI regulations, as this is key to moving forward successfully. Without understanding how the Act could potentially impact the organisation, you are effectively back to square one.
2. Review and update customer and supplier agreements, as well as any third-party partner agreements. Put measures in place to protect and prevent unauthorised access to all employee information, and make sure that only the right people can access that information, by enforcing principles of least privilege.
3. Develop a culture of privacy within the company. Taking a top-down approach and getting management to enforce data privacy will filter down through the rest of the company, and it’s important for staff to know their information is treated with integrity. Implement awareness campaigns, and put policies and procedures in place to ensure privacy is maintained – after all, privacy is just as important as data security.
4. Develop a comprehensive incident response plan. Having an understanding of exactly what needs to be done to prevent any further damage is critical to business continuity. Too often, people think of an incident only in terms of loss of data, but reputational damage and loss of customer confidence, which are infinitely harder to quantify, are important too. If the organisation has a solid plan in place to deal with breaches quickly and effectively, it will help to bounce back far more rapidly.
5. Implement a data access management procedure to ensure that only the right people can access the right information. This policy will guard against any unauthorised access and must be in line with the POPIA and all other associated regulations, such as the Promotion of Access to Information Act.

These guidelines will put the payroll in a good place by 1 July 2021. But, be mindful of the pain points:

1. Don’t wait till the last minute to implement the changes. We have had since 1 July 2020, but it is human nature to wait until the last minute. There is more to do than most organisations realise, so the more time you give yourself, the more time you have to fix any issues that might arise.
2. Avoid doing everything yourself. We like to be masters of everything, but remember that we have specialists in the industry for a reason. Engage with trusted service providers to help ease the pressure. These can range from legal experts, cyber security experts, or payroll specialists. If there are any areas you don’t fully understand, or can’t deal with internally, utilise those experts.
3. Make use of the regulation and this grace period we have been given as an opportunity to invest in the organisation. While POPIA may be seen as legal red tape and a bit of a pain, it is actually a real opportunity to improve the company. It could improve processes or operations, which in turn will improve customer experience and result in cost savings.

A lot has been said in terms of the POPI Act, and there is a lot of information out there. Make sure you are getting the right advice and resist the urge to look at POPIA as a tick-box exercise and merely something the company has to do. View it as an opportunity to take the business to the next level.