Perspectives

Appointment of the Information Regulator

National Assembly has voted in favour of Advocate Pansy Tlakula being appointed as South Africa's new Information Regulator

On the 7th September, the National Assembly voted in favour of Advocate Pansy Tlakula being appointed as the National Information Regulator. This enables the President to proclaim the Protection of Personal Information Act (POPI) effective and operational. In terms of the transitional arrangements contemplated in section 114, organisations would then have 12 months to become compliant, although the Minister could provide for a longer period, not exceeding 3 years.

What do we expect from this appointment?

Europe is celebrating their 21st year of privacy protection, and POPI was modelled on the EU Privacy Directive. The various country specific data protection authorities, have in this period provided significant direction and guidance through regulation, position papers and opinions. South African organisations will expect similar clarity from Advocate Tlakula on a number of POPI aspects. We anticipate the first request to be for the maximum transitional period of 3-years to be provided, followed in close succession with a request for clarity around the breach notification protocols to both data subjects and the Regulator. Guidance will also likely be sought around the specifics of what constitutes appropriate and reasonable information security measures.

However, none of these clarification points should stop the initiation of, or progress with, your organisation’s POPI readiness project.

Don’t react by introducing/spending money on too many interventions. It will take time to get POPI compliant. In the meantime, some quick steps that are cost effective are recommended in or 6 point checklist below:
Action
Key Questions
Next steps

1. Consider the reputational impact of data breaches

  • Do you have an incident management plan in place?
  • What penalties may be imposed?

Do scenario testing to test for the robustness of your incident response plan.

2. Develop a PI inventory

    Is this underway and close to completion?

    What is the adequacy of the control design?
     

Consider a discovery tool to confirm the location of PI throughout the organisation.

3. Utilise the PI inventory to identify cross border data flows

    Has consent been given to collect and process PI?

    Which business processes require consent?
     

Test the privacy policy, online notice and consent clauses for adequate protection against the risk of non-compliance.

4. Implement training and an awareness plan for privacy

    Is there a high level understanding of the privacy plan?

    Is there a formal communication plan in place?

    Which mediums will be used to communicate the plan?
     

Test the completeness hereof, as well as your ability to reach all stakeholders timeously.

5. Review your information security strategy

    Do your timelines correspond with the 1 to 3 years allowed to become compliant?

    Have the cyber threats been addressed and the human factor risks been dealt with in the training sessions?

    Do you understand your weak points?
     

Do a data leakage risk assessment.

6. Review and update your retention and destruction schedule

    What are the timelines stipulated for the remediation project to deal with archived data/documents, which you are not entitled to retain?

    What is no longer required for business purposes, and poses an additional risk with regards to data hacks and reputational damage?
     

Plan around retention and destruction is required.

Did you find this useful?