POPI demands a granular control of records
Directly linked to the challenge of the volume of processing of personal information is the level of granularity at which control needs to be exercised for some of the rules in POPI.
A simple example of this is the requirement to have retention rules for all records. Companies cannot just keep records for as long as they like anymore.
A company also needs to have a reason (purpose) for all the actions taken on every record. This applies throughout the period during which that record is held in the company.
Where does a company currently keep details of all these purposes? How do they check that the actions taken comply with legitimate purposes? Typical actions being referred to here are downloading, sharing with others, deleting, copying, or storing records that contain personal information.
This is another case for needing an automated compliance approach to handle the many requirements for managing data. This is particularly relevant for a company in a highly regulated industry, like for all Financial Service Providers.
TOSMS has a solution called TP-RCS that automates a company’s compliance regime around these many requirements. You can read more about this on the TOSMS website under the section that deals with the TP-RCS solution.
POPI spells complexity
So if we consider:
- the volume of transactions and the level of granularity at which control needs to be exercised because of the POPI Act,
- the need to consider whatever a company may be doing that changes the status quo of how it currently operates (like launching new products or planning mergers and acquisitions),
- the volume of requirements made up of other legislation, standards and policies needing to be complied with,
- the fact that companies are accountable for breaches to personal information given to third parties to process,
…then you have a highly complex environment to deal with.
Further articles will cover the process unpacking the legislation by having a look at the four main focus areas covered by the POPI Act.
More About Our Newsletter
References: Information contained in our newsletter includes extracts from the TOSMS online training program Introduction to Protection of Personal Information Act. The aim of providing this content is to assist individuals and companies in South Africa who are dealing with personal information about clients, suppliers and staff in coming to terms with the extensive requirements of the POPI Act. You will find more details on the course here.
Understanding POPI In Layman’s Terms: With the South African Information Regulator having been appointed, the next major announcement by government will be that of the effective date of the POPI Act. This announcement will kick-start the POPI one year transitional period and TOSMS decided to embark on an education initiative for subscribers to our POPI newsletter. What this means is that the POPI Act will be unpacked in bite-size chunks over the next year through a regular newsletter, to provide a useful reference for individuals impacted by the POPI Act. You can subscribe to our newsletter in the footer of our website.
We will include other articles of relevance from time to time. Mostly, we will be covering what is in our POPI training program. While it will not be as comprehensive as the training program, it will expose the issues for you. You can then explore further where it triggers the need in your business to consider changes.