by Guinevere Morton CA(SA) Executive Manager at GRIPP Advisory
As companies across the globe react to the threat of increased cybercrime and data mismanagement, safeguarding of ‘personal information’ data is now central to good governance. To mitigate and manage this, legislators have rushed to introduce organisational requirements to facilitate safeguarding. Confirmation by the South African State President (Cyril Ramaphosa) that the Protection of Personal Information Act no. 4 of 2013 (POPIA) would come into effect from 1 July 2020, has catapulted the issue centre stage and galvanised the industry. After years skirting around the issue, all responsible parties now have a deadline to work towards.
THE GAMING operations industry is responsible for retaining significant amounts of personal information. This includes material pertaining to patrons, employees, tenants and suppliers. South African Gaming companies have operations spanning the continent and the threat of information crossing borders is an additional complication. It is now more imperative to ensure correct compliance, the issue should be at the top of all Board agendas.
Synopsis of POPIA
The Act defines responsible parties as “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.”
POPIA highlights that it:
- Natural and jurisdic persons
- Public and private sector
- Paper and electronic records
- Patron information
- Employees information
- Tenant information
- Supplier information
- Third parties utilised to retain personal information
- Personal information
- Identity number
- Contact detaiuls
- Marital status
- Employment history
- CCTV footage
- Criminal record
- Online identifier
- Biometric information
- Special person information
- Health data
- Religious belief
- Personal views
- Financial data
The purpose of this Act is to give effect to a person’s constitutional right to privacy, by safeguarding personal information whenever it is being processed by a responsible party. This is subject to justifiable limitations which includes a balance between privacy and the right to access information as well as the free flow of information across borders.
The Act specifically prohibits a responsible party in the Republic of South Africa from transferring personal information about a data subject to a third party outside our borders, unless the recipient of the information is subject to a law, binding corporate rules or a binding agreement which provides adequate levels of privacy protection.
Responsible parties are required by the Act to adhere to eight conditions to ensure the lawful processing of personal information. Briefly these conditions cover:
- Accountability that all conditions set out in POPIA have been complied with when determining the purpose and process to be utilised when dealing with personal information;
- Processing limitations require that personal information is obtained lawfully and can only be processed by the responsible party after receiving the data subjects consent;
- Purpose specification stipulates that personal information must only be collected for a specific purpose related to a function or activity of the responsible party and this information must not be retained for longer than required;
- Further processing of personal information is only permissible if it is still compatible with the purpose of the initial collection;
- Information quality is imperative, and the responsible party must ensure that they
have implemented steps to ensure that the information is complete, accurate and update as required;
- Openness by the responsible party to the data subject as to where and why their personal information is being retained;
- Security safeguards must be implemented
by the responsible party to ensure that the personal information entrusted to them or a third-party operator remains confidential; and
- Data subject participation is permissible
in that they can confirm what personal information is retained by a responsible party and request corrections to be processed against previous share information.
Practical steps to compliance
Given this brief synopsis of the Act what practical steps should responsible parties be taking to begin or further their compliance journey keeping in mind that the deadline of 30 June 2021 is fast approaching.
The Act requires the appointment of an Information Officer (defined as the Chief Executive Officer or any other duly authorised person). The Information Officer will play a pivotal role in establishing compliance protocols, monitoring compliance, and dealing with any Regulator queries. This individual
needs to be registered as such with the Regulator.
A POPIA project plan should be developed to ensure that a structured approach is adhered to when tackling this piece of legislation.
Key milestones should be set and progress against these targets should be reported to an organisation governing body.
Obtaining an understanding of what personal information is held and retained by performing data mapping activities. Data mapping allows the organisation to understand what data is being collected, the location of data, potential risks, and controls in place to protect personal information.
A Compliance Risk Management Plan (CRMP) should be compiled for POPIA, allowing the responsible party to assess their compliance status with applicable sections. This will highlight potential control gaps that need to be addressed to ensure compliance with the Act.
Governance relating to the protection of personal information must be enhanced through policies, standard operating procedures and guidelines. This would include updating existing policies that link to the collection or retention of personal information. Organisation awareness through training
programmes must be rolled out to ensure that all employees are made aware of the need to protect personal information.
Continual monitoring of compliance to POPIA should form part of any organisations Compliance Functions plans. In addition, independent assurance should be obtained as to whether key controls are functioning effectively.
Implication of non-compliance
The POPIA holds responsible parties accountable, should any personal information entrusted to them be lost, abused or compromised in any way. ‘Reputational’ damage combined with the threat of significant financial and legal penalties (a fine or imprisonment, or in the most extreme cases, both) for responsible parties is a frightening proposition.
The deadline and implementation phase is fast approaching and is being viewed with much trepidation.
Levels of prosecution and the magnitude of likely penalties for non-compliance remains unknown. However, affording an organisation increased security and all responsible parties a heightened level of comfort (through improved processes and good governance) with strict compliance is both possible and obtainable.
Contact the Author: Guinevere Morton CA(SA), Regulatory Compliance Lead: Guinevere@grippadvisory.co.za