The Protection of Personal Information (PoPI) Act is designed for international businesses to feel more secure in doing business with South African companies. If adhered to, it should increase South Africa’s credibility.
While businesses have five years to comply with the Act, the sooner your company starts implementing it, the more you will be following best practice, and ultimately avoiding fines.
Allison Walton, eDiscovery Attorney at Symantec offers the following advice:
- Understand the law: get a good understanding of the latest draft of POPI likely to become law and find out about penalties for non-compliance.
- Set up a team to be responsible. The role of IT and the information officer in the organisation will become more important.
- Review and understand the data.
- Understand how to manage the personal information you collect to comply with the law, address your customer’s demands, and protect your organisation
- Review processes and how information flows through the organisation and how information is managed
- Bear in mind the life cycle of information, the data being collected, where it is located and even how it will be destroyed later in the cycle
- Start reviewing earlier so organisations understand the complexities facing them
- PoPI compliance requires improved security posture and enhanced data protection capabilities. Put a privacy and data protection policies and data retention plans in place as a matter of urgency, backed by the technology and processes to implement it.
- Training of employees is essential – no matter how strong your privacy programme is, if employees don’t understand the layers and their responsibilities when it comes to handling that information .
Develop an information retention plan that allows your IT and legal team to coordinate to easily manage and archive data for long term storage, while allowing for quick discovery of information for legal, compliance or regulatory requests.
- Adopt a defensible deletion mindset: When organizations can adopt a defensible deletion mindset they can delete information with confidence according to their information retention policies.
- Implement a solution in which legal holds can override expiry policies: Consider a unified eDiscovery solution where legal holds can be easily implemented to override expiry policies to avoid spoliation and sanctions.
- Don’t use backups for long-term retention: Backups are for recovery (30 days max), archiving is for discovery (longer than 30 days). Deploy an archiving solution to quickly and easily respond to search requests for electronically stored information.