Advice and Opinion

Is your company ready for POPI?

personal information

Many organisations are not yet compliant with the Protection of Personal Information Act (POPIA) which comes into effect on the 1st of July 2021.

According to a survey conducted by TPN Credit Bureau on how ready companies are for POPI, only 27.4% are process ready and only 40.3% are ready from a governance perspective.

Technological readiness scored the highest at 57% which is a far cry from compliancy. Of the 200 companies surveyed, only 8% scored above 80% for their POPIA readiness.

Although organisations are expected to be fully compliant with the POPIA by the 1st of July with all the necessary systems and processes in place, industry bodies were required to have submitted a code of conduct to the Information Regulator by the 1st of March 2021 according to Regulation 5 of the POPI Act.

Organisations who have not yet started the process of becoming compliant with the POPIA are urged to do so as soon as possible as compliance is a time-consuming process.

The Credit Bureau Association, for example, has submitted its code of conduct to the Information Regulator, who has subsequently opened the code up for public comment. In South Africa, credit bureaus are subject to the restrictions of the National Credit Act which governs the processing of consumer credit information. However, credit bureaus cannot process credit profile information unless they have pre-approval from the Information Regulator” comments Michelle Dickens, CEO of TPN Credit Bureau.

Another past deadline relates to Regulation 4 of the POPIA which requires that organisations have an appointed Information Officer by the 1st of May. An Information Officer is responsible for, among other things, encouraging compliance with the POPIA; developing and implementing a compliance framework; and ensuring a personal information impact assessment is done to ensure adequate measures and standards exist.

The aim of the POPIA is to protect personal information and to prevent information from being exposed to unauthorised individuals or entities. This requires a set of streamlined processes and systems be established that easily identify where personal information is stored, how this information is processed physically and electronically, who has access to it as well as for what purpose this information is required. Not surprisingly, becoming POPI compliant takes time and needs to be an ongoing process.

A failure to be compliant has consequences as organisations could face fines or other penalties depending on the nature of the offense with a maximum 10-year prison sentence or a R10 million fine” she concludes.