POPI IS MORE THAN A COMPLIANCE ISSUE
HOWEVER, COMMIT TO COMPLIANCE BY BEING AWARE OF THESE FIRST 10 STEPS TO FOLLOW:
Data privacy has been law in the European Union (EU) for nearly 20 years! In South Africa, the Protection of Personal Information Act (POPI) was only passed in 2013. Many companies knew that POPI was coming and have been preparing for it. Some companies with links to the EU had been implementing data privacy already before POPI was passed due to international pressure. The international organisations that SAIPA is affiliated with are all serious about data privacy. And why shouldn’t accountancy professionals take privacy seriously too? After all, people trust accountancy professionals with some of their most important personal information, such as financial information. Handling information properly and protecting it correctly has always been vital, but now POPI makes it a legal requirement. However, POPI is about much more than just compliance. By protecting people’s information, you will keep their trust and protect your reputation. Many local and international businesses use privacy as a way to boost business. POPI is about trust. Imagine how you would feel if a company lost or shared important financial or health information about you, without your approval or knowing about it?
We all know the frustration of receiving unwanted phone calls from people trying to sell us products. ‘Where did they get my number?’ we wonder, which is quickly followed by the thought ‘If I get my hands on the person who gave them my number…!’ In 2011, I travelled to 12 cities in South Africa presenting SAIPA CPD workshops, including seminars on POPI. It was a wonderful experience, and I was able to meet many SAIPA members who shared their worries and concerns about POPI. The concerns SAIPA members had are similar to the concerns I hear today from business. ‘What are the things that we must do to comply with POPI?’ and ‘Where do we start?’ Recently, a senior Professional Accountant (SA) commented: “If Professional Accountants are finding POPI challenging, then just imagine how our clients feel!” I had to agree. “After all, most of our clients are SMEs. They are struggling to make head or tail of POPI, and they turn to us for help,” he added. I had to agree again. SMEs often do not have the knowledge to comply with laws and therefore turn to their trusted advisors. It is important for Professional Accountants (SA) to get POPI-compliant themselves, because only then can they support their clients.
SAIPA is fully committed to helping its members and their clients when it comes to POPI compliance. In order to ensure compliance, these are the first ten steps:
- Appoint or outsource to an information officer
- Find out what personal information you have, where you have it and what you do with it
- Establish and define the purpose for which you are processing personal information
- Obtain consent from people (data subjects) to process their information for the purpose you have identified
- Train employees
- Redraft contracts to include the POPI requirements
- Check sector-specific legislation (e.g. customs and excise) to determine any additional or conflicting requirements around privacy, record-keeping, etc.
- Implement measures to protect the personal data at every stage of its life cycle (i.e. from creation to destruction)
- Relook at your paper-based and digital technologies and processes to ensure that they are compliant with POPI
SAIPA has put together a series of podcasts for members on the POPI topic. Click here to download these podcasts, and earn CPD hours.