Since its enactment, the Protection of Personal Information Act No 4 of 2013 (“POPIA”/”the Act”) has imposed numerous obligations on various organisations across South Africa to align their business operations with the prescripts of POPIA. However, for many organisations, the steps and measures required to meet the compliance standards set out in the Act remain a complete unknown. In this regard, at the core of any business’ compliance journey must lie a clear understanding of the data flow within the organisation, with specific reference to the manner in which personal information is processed and managed within each individual business unit.
The establishment of this understanding necessitates a critical analysis of the potential compliance gaps within an organisation in order to accurately measure and identify areas within an organisation’s various business operations that fall short of the requirements set out in the Act. To achieve the desired outcome, organisations must develop a clear understanding of the Personal Information Impact Assessment process (“PIIA”).
What is PIIA?
The PIIA is a mechanism by which organisations are able to measure compliance with the Act and can be a catalyst for the successful integration of the requirements of POPIA within the context of an organisation’s operations. This process entails measuring an organisation’s existing controls for the management of personal information against the lawful processing conditions set out in the Act. In implementing the PIIA process, organisations can distinguish (with some accuracy) between the various classes of information set out in the Act i.e. special personal information, personal information subject to the exclusions set out in the Act etc. Further to this and where applicable, PIIA processes are designed to further identify classes of information subject to the consent requirements set out in POPIA eg. the processing of a minor’s personal information.
The importance of the PIIA process:
In its essence, the PIIA process provides an organisation with a snapshot of the various control measures in place for the management of data, and more specifically, the personal information of data subjects within a given organisation. The PIIA process is essential to an organisation’s ability to put a systematic action plan in place to achieve its compliance objectives and is a critical tool for identifying the risks associated with non-compliance with the Act.
The PIIA process further allows organisations to identify business units/functions that may require additional training and/or exposure to POPIA awareness programmes for purposes of driving compliance within an organisation. By implementing further training programmes to drive compliance, key stakeholders are able to adequately manage compliance levels within an organisation.
PIIA: The process and what it entails:
As previously stated, the PIIA process is critical to an organization’s ability to measure compliance gaps and accordingly develop and implement an action plan to drive compliance.
Broadly speaking, the PIIA process necessitates that an organisation audit and review the existing controls in place for the management and flow of personal information. In order to achieve the desired outcome, an organization must be able to answer the following questions after the PIIA process has been conducted:
what, where and why does the organisation collect the personal information of data subjects;
is the information accurate, can it be updated or is it otherwise complete;
are there data privacy policies in place within the organisation? Is there a process for interested parties to access personal information (i.e. PAIA Manual);
does the organisation require, alternatively, have consent from its data subjects to retain or otherwise process their personal information;
how does personal information flow within the organisational structure (i.e. policies and protocols);
is there information within the organisation which relates to special personal information (as defined in the Act);
does the organisation process any personal information which is excluded in terms of the Act;
does the organisation share personal information with parties outside of South Africa, and if so, what measures may be required to be put in place to ensure that such sharing complies with the requirements of the Act; and
what IT safeguards does the organisation have in place and how does it control individual access control.
In answering the questions set out above, an organisation should be able to identify the relevant compliance gaps and develop an action plan to align all business operations within the organisation with the prescripts of the Act.
The successful integration of the processing requirements set out in POPIA within a given organisation necessitates the establishment of a systematic assessment and measurement process to guide an organisation in identifying critical compliance gaps and develop an appropriate action plan to address these gaps. For these reasons, the PIIA process is a fundamental aspect in any organisation’s compliance journey and is critical to its ability to mitigate the risks associated with non-compliance.