As organisations navigate the maze that is the Protection of Personal Information Act (POPIA), many still struggle to understand the implications and requirements of the Act. Alyssa Pretorius, Senior Consultant at BDO – Cyber Lab at BDO South Africa, sheds some light on the importance of bridging the gap between cyber and legal aspects when addressing data privacy concerns under POPIA.

With POPIA now in full effect, it is important that companies fully understand what they are committing to. While the act outlines the "what" in terms of compliance, it may leave the underlying "why” open to questions. 

To sum it up, POPIA came to life to ensure that the personal information of citizens is protected. The Act recognises the right to privacy enshrined in the Constitution and gives effect to this right through mandatory procedures and mechanisms for the handling and processing of personal information.

POPIA defines eight information protection principles that organisations must adhere to in order to ensure data privacy and compliance to govern the processing of personal information with specific provisions for:

• direct marketing,
• automated decision making,
• the processing of cross-border flows of data (see section 72 of the POPI Act).

These eight prescribed condition are:

• Accountability: Organisations must take responsibility for complying with POPIA and ensuring that personal information is handled lawfully and securely.
• Processing Limitation: Data processing should be limited to what is necessary for the intended purpose, and excessive data collection or retention should be avoided.
• Purpose Specification: Organisations must specify the purpose for collecting personal information and inform data subjects accordingly.
• Further Processing Limitation: Personal information should not be processed for purposes incompatible with the original purpose of collection without obtaining additional consent.
• Information Quality: Organisations must ensure the accuracy, completeness, and relevancy of personal information collected.
• Openness: Data subjects should be informed about the collection, processing, and storage of their personal information, as well as their rights to access and rectify their data.
• Security Safeguards: Organisations must implement appropriate technical and organizational measures to protect personal information against unauthorized access, loss, or destruction.
• Data Subject Participation: Individuals have the right to access and correct their personal information, as well as the right to object to the processing of their data.

Although these eight conditions do provide a type of ‘road map’ for compliance, the question of whether policies and procedures alone can guarantee POPIA compliance has been a topic of contention across all sectors, as well as in various panel debates at IT conferences.

The only certainty is that until organisations undergo the implementation process, it is challenging to gauge the effectiveness of policies and procedures alone. POPIA compliance requires a comprehensive approach that includes not only documentation but also technical and organisational control measures.

It is important to be aware of the consequences of non-compliance. Organisations can face severe penalties, including fines of up to R10 million and even imprisonment which is why it is important that your organisation prioritise compliance and implement robust control measures to protect personal information.

So what is the ideal approach to POPIA?

In response to the POPIA compliance requirements, organisations have taken two main routes:

• Employing legal counsel as a deputy information officer: Engaging legal professionals ensures a strong focus on governance, legal compliance, and regulatory interpretations related to data privacy.
• Employing IT directors as deputy information officer: Leveraging the expertise of IT professionals allows organizations to emphasize security safeguards and efficiently manage potential data breaches.

While there is no definitive right or wrong answer to choosing between legal or IT professionals as deputy information officers, there is a strong case for finding ways to bridge the gap between these domains. By recognising the complementary strengths of both legal and IT expertise, organisations can effectively approach the struggle with the ‘best from both sides’ to ensure they effectively dot the i's and cross the t's.

However, many may not have the expertise to handle this inside their organisation. This is where seeking help from experts at BDO who understand the importance of aligning legal requirements with technical implementations becomes crucial. 

By handing over the complicated processes of integrating legal counsel with IT expertise, organisations can ensure comprehensive data privacy strategies that encompass both governance and security safeguards. This will allow them to navigate the complex landscape of POPIA compliance with complete peace of mind that they have established the most robust framework for data privacy in this digital age.

Written by Alyssa Pretorius, Senior Consultant at BDO – Cyber Lab at BDO South Africa