POPI Compliance Solutions

POPIA Compliance framework and monitoring system

Designed to fulfil the requirements of the POPIA regulations, this POPIA compliance solution is a modular system that assists information officers to develop, implement, monitor and maintain a compliance framework for the POPI Act. Feature-rich, designed following international best practice, this comprehensive data protection management system provides the tools information officers need to fulfil their responsibilities using a single, unified platform.

Data flow analysis

Data flow analysis is a technique used to identify personal information and map sources, processing operations, storage locations, and information recipients. The POPIA process uses predefined templates to accelerate the analysis of an organisation's business processes and clarify the flow of personal information internally, and with external parties, to its various storage locations and timely destruction.

Register of regulatory requirements

POPIA requires that personal information must be processed lawfully. Without a proper legal basis, personal information cannot be processed. One of the legal bases for processing personal information is compliance with an obligation imposed by law on the responsible party. The POPIA compliance solution's legal register is a repository of data protection obligations contained in South African legislation. It provides a reference for responsible parties to check the compliance of their business operations against statutory obligations and record retention schedules.

Record of processing operations

Responsible parties are required to maintain the documentation of all processing operations under their responsibility. This is a considerable burden. Often spreadsheets and word documents are used to gather information from business units across the organisation. Tracking the collection, sharing information securely and maintaining version control is difficult and time consuming, thus there exists a risk that processing is not properly analysed. Our step-by-step, automated process assists responsible parties and information officers in gathering the required information, and maintaining the documentation at a centralised location.

Process assessor - adequate, relevant and not excessive.

Personal information may only be processed if the purpose for which it is processed is adequate, relevant and not excessive. Responsible parties and information officers are required to ensure the processing of personal information adheres strictly with the stated purposes, is not intrusive, and is minimal. Documentation is required to demonstrate compliance. The POPIA compliance solution's step-by-step, automated process will reduce the time and effort required by responsible parties to ensure POPIA compliance.

Personal information impact assessments

Responsible parties and information officers are required to complete personal information impact assessments to ensure that adequate measures and standards exist to comply with POPIA's regulations. The POPIA automated process provides guidance to responsible parties on performing these assessments of the impact of processing of personal information on the rights of data subjects and selecting appropriate technical and organisational measures and standards.

Privacy notice register and the PAIA manual

POPIA's privacy notice and transparency management system simplifies the complex process of creating, updating, and monitoring privacy notices across websites, application systems and business processes into one central location.

Data subject request handler

Data subjects have many rights under POPIA. The Act requires responsible parties to give a data subject a reasonable opportunity to exercise these rights, free of charge and in a manner free of unnecessary formality. The POPIA platform enables these rights using online forms for:

• Data subject information requests
• Data subject access requests
• Data subject objections
• Data subject rectification requests
• Data subject right-to-be-forgotten requests
• Data subject data export requests (in certain circumstances)
• Data subject requests for assurance.

Consent manager

Consent is one of the acceptable legal bases for processing personal information. However, the process to obtain consent and manage received consent is onerous. The POPIA privacy platform's consent management system keeps track of the business processes relying on consent and enables data subjects to check and change consent previously given. Where new or refreshed consent is required, the consent management module ensures a process to obtain valid consent is followed.

Direct marketing consent request

Before a responsible part contacts a data subject for direct marketing, the responsible party must request consent from the data subject using the form specified by the Information Regulator. The POPIA online process to contact multiple data subjects and request the completion of the prescribed form reduces the time and effort required to collect consent for lawful direct marketing.

Operator contract specification

Responsible parties are required, in terms of a written contract between the responsible party and the operator, to ensure that the operator which processes personal information for the responsible party establishes and maintains appropriate security measures. Responsible parties are required to identify the technical and organisational measures needed to counter the risks and specified in a written contract with the operator. When selecting technical and organisational measures, responsible parties must have due regard to generally accepted information security practices and procedures that may apply to it generally or be required in terms of a specific industry or professional rules and regulations.

Data subject notification

Responsible parties must take steps to ensure that data subjects are aware information is being collected and the purpose for which their personal information is collected. Where the information is not collected from the data subject, the data subject must be informed of the source from which it is collected, the name and address of the responsible party supplying the information, details of any particular law authorising or requiring the collection of the information and the consequences of failure to provide the information. This burden can be reduced through the use of the POPIA online system to organise this communication with data subjects.

Personal information classification and risk mitigation

The classification of personal information is necessary to determine the most appropriate technical and organisational measures to counter risks to the rights and freedoms of natural and juristic persons. The personal information classification scheme will provide your organisation with a standardised, baseline approach to counter the risks to data subject rights.

Data protection vulnerability evaluation

Potential attackers have greater opportunity to interfere with the processing of personal information when an organisation's processing is vulnerable. Responsible parties must continually assess the risks to data subjects and take action to minimise the vulnerability of their business processes to interference. The POPIA privacy platform enables responsible parties to configure their assessments or select one of the predefined assessments from the assessment knowledge base.

Operator compliance verification

The POPIA privacy platform enables information officers to assess and perform due diligence on operator's compliance with their contractual and legal obligations. Using a standardised due diligence process and predefined assessments for technical and organisational measures, each operator's current status of compliance is scored and the operator's actions tracked to improve the protection of personal information.

Records management

Personal information must not be retained any longer than is necessary for achieving the purpose for which it was collected or processed. Some personal information must be destroyed almost immediately whilst other information can be kept for longer in accordance with an approved retention schedule. The POPIA records management process is for the management of records of an organisation throughout the records life-cycle. It includes the systematic and efficient control of the creation, maintenance and destruction of the records along with the business transactions associated with them.. 

Incident management

Data protection incidents require early detection and prompt response. The POPIA platform provides automated tasks to identify, analyse, contain, eradicate and recover from the incident effectively and efficiently. The predefined actions provide a formalised and reliable method to respond to incidents.

Breach notification

POPIA Breach Notification centrally manages interference and incidents, automates tasks, and maintains records to demonstrate compliance with the legislation. The tool is powered by the knowledge base of breach related information and typical penalties imposed by regulators. With POPIA Breach Response automated workflows will enable timely decision-making and breach notification for small and large numbers of data subjects who may be affected.

POPIA eLearning

The POPIA eLearning module enables your organisation to conduct internal awareness sessions regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, and information obtained from the Regulator.  A wide range of POPIA-related courses are available.

Prior authorisation requests

Before high-risk processing can commence, the responsible party must submit a prior authorisation request to the Information Regulator. The POPIA platform's predefined workflow and templates assist responsible parties in preparing prior authorisation requests successfully.

POPIA information officer web-based toolset

Information officer toolset.

POPIA compliance online assessments

Online compliance assessments.

POPIA compliant Cookie Banner

POPIA cookie banner and notices.

POPIA compliant Web Analytics

Web analytics.

Data Subject Access Requests

DSAR record discovery.

DSARs, mail and document redaction

Data redaction.

 

• Information assets need to be identified
• Retention of certain types of records
• Promotion of easy access to information
• Maintain a register of documents received and dispatched
• Information classification Information protection when stored and processed
• Physical security and access control
• Identification of individuals entering premises
• Preservation of secrecy
• Record of all the reproductions of classified documents is to be maintained
• Disaster recovery and contingency planning
• Effective internal controls
• Admissibility and evidential weight of data messages
• Data destruction.

The POPIA Legal Register summarises these obligations for ease of reference. This legal register is an important source of information when responsible parties examine the legal basis for processing personal information in their business processes. The POPIA platform can include a Legal Register for your organisation with descriptions of the compliance issue, implementation requirement and status for each legal obligation.