Which critical POPI governance issue is not covered in the POPI Act?
For background, TOSMS recently published articles covering the four main focus areas in the South African Protection of Personal Information Act, namely:
- The Data Subject; and
- Personal Information relating to the data subject; and
- The Responsible Party, as well as
- The nature of Processing that a Responsible Party carries out on Personal Information.
All governance aspects in the POPI Act are logically grouped together under a workstream called “Governance”, which will be covered in subsequent articles.
What is important about having a Governance workstream?
The important thing about what we call the “Governance workstream” is that POPI needs to dovetail with whatever other regulatory compliance practices there are in your organisation.
POPI will impact on things like policies and standards. Notably, there are various questions you need to consider when creating a sustainable level of POPI compliance:
- Who is currently responsible for reporting on compliance with other legislation?
- Who are operationally accountable and for what internal controls?
- Who are accountable for oversight and what are the measures used?
- What kinds of reviews are done annually?
- How are regulatory risks identified and escalated?
- What about complaints and dealing with the regulators in your industry?
Not all of these issues have rules in the POPI Act that prescribe how they must be dealt with. Overall the Act states you have to comply with POPI and how you go about this should be driven by a top-down approach. The governing body should integrate POPI into the existing model for handling regulatory compliance. Of course this is why there is a workstream called Governance.
The above is achieved via the application of Policies, Standards, Practices and Guidelines (PSPG’s). Various other governance requirements will be covered in future articles.