South Africa’s stunning landscapes, diverse culture and delicious cuisine tempt visitors from far and wide. From game reserves to wine estates, hotels to B&Bs, businesses in the hospitality industry must remain compliant with laws, acts and other regulations related to the industry.
One such act is the Protection of Personal Information Act (POPIA). This piece of law was released in November 2013 and became enforceable on 1 July 2021. In order to avoid hefty fines (and even imprisonment) due to non-compliance with POPIA, the tourism industry has had to seriously review their way of managing personal information.
Examples of categories of personal information that a business in the hospitality industry may process and retain include:
- Guests personal information that includes copies of identity documents and / or passports.
- Employees personal information
- Loyalty programme information
- Supplier information
These categories of personal information have been defined by POPIA require different safeguards.
Unfortunately, the Act does not lay out a step-by-step approach, making reaching POPIA compliance somewhat challenging. Hospitality businesses need to examine the POPIA and understand how it relates to their unique access and requirements regarding the acquisition and management of personal information from employees and guests.
A basic approach to obtaining PoPIA compliance would include:
- Appointing an Information Officer
- Conducting a risk assessment
- Identifying gaps in controls or areas of non-compliance and resolving them
- Providing staff training
- Establishing and or enhancing security systems to protect personal information
To make things a little simpler, this short guide explores these important steps as well as the 8 conditions of POPI Act for businesses operating within the hospitality industry in South Africa.
How To Get Started With POPIA Compliance
APPOINT AN INFORMATION OFFICER
The first key step in your POPIA journey is the appointment of the Information Officer, your Information Officer must be registered with the Information Regulator and has specific duties and responsibilities. See some of these duties below in the 8 Principles of PoPIA Compliance.
CONDUCT A RISK ASSESSMENT:
Conducting a risk assessment is an important first step in becoming compliant with the POPIA. During this risk analysis, use the 8 conditions of the POPIA against which to measure your company. Remember to analyse information kept on paper as well as electronic data. Assess using questions such as:
- What type of information does your company retain?
- Why are you retaining this information?
- What are you doing with this information?
- Does it comply with POPIA conditions?
IDENTIFY AREAS OF NON-COMPLIANCE AND RESOLVE THEM
During your risk assessment analysis, you might find you’re not compliant in certain or all areas. Identify areas and processes that need attention and implement strategies. Once again, keep written evidence of the processes and steps you’ve taken to ensure you are compliant.
TRAIN YOUR STAFF ON THE POPI ACT
From your receptionist to your bookings manager, your entire staff complement should be aware of and receive training in the proper management of personal information as per the PoPIA. Depending on the size of your company, this could be a large or small undertaking. In whatever form, keep proof of POPIA training by retaining training materials and attendance registers.
ENSURE PERSONAL INFORMATION IS PROPERLY SECURED
For data kept as hardcopy as well as stored digitally, your security systems should be assessed annually. It may be best to consult with an expert in cyber security to install a security system based on your unique business needs. Once again, retain proof of security updates and maintenance.
Areas of PoPIA Compliance
As you conduct your risk assessment and work towards effective POPIA implementation, consider these 8 questions:
Have you appointed an Information Officer?
This important step is essential to POPIA compliance. Every organisation that deals with personal information must appoint and train an information officer. This individual must meet requirements such as:
- They must be a natural person
- Be an employee of the company
- Must be trained
- Must fall into management level
- Must have knowledge of the business operations and processes
Some of their duties include:
- Carrying out privacy risk assessment
- Dealing with requests from the Information Regulator
- Preparing the Promotion of Access to Information Act (PAIA) manual
- Creating an environment awareness around information privacy and the proper management of personal information
- Ensuring POPIA and PAIA compliance
Why does your business collect personal information?
Even though they may willingly complete a booking form or provide a personal telephone number, your clients must know and understand why you are collecting this personal information from them. This information should be collected for a lawful purpose that is clearly communicated.
What do you do with the personal information you gather?
The POPI act stipulates that you’re only allowed to gather necessary information that fulfills a specific purpose. This information should be collected for a justifiable reason directly from the individual/company. If there is no legitimate ground to collect this data, you should obtain informed consent first.
Remember to keep any further processing of that personal information in line with your original goal.
What is the level of your information quality?
All information should be complete, correct, up-to-date, and not misleading.
Are your privacy standards adequate?
Any clients/employees should be made aware when personal information is being collected from them. Inform them of why their personal information is being collected and how long you plan to store it.
Are your guests/employees/suppliers informed?
It is your responsibility to declare to your clients or employees how personal information is being gathered from them and how this information will be updated.
How long is personal information held by your company?
According to the Act, you may only keep personal information for that period related to the original purpose. This statement is somewhat broad and requires a tailored approach to your specific company. Either way, your clients/employees should be informed of what your retention period is and what you’ll do with their information afterward.
Do you know what to do in the event of a security breach?
Personal information must be kept safe. It’s essential to assess the internal and external risks relevant to your specific business and have protocols in place that deal with the management of a security breach.
We Can Assist You
Navigating the requirements to become POPIA compliant can be a challenge. Our team of consultants strives to ensure this process is undertaken smoothly and correctly, first time. Get in touch with us today.