In terms of section 19 of the Act, the Responsible Party (business owner / employer) is required to introduce reasonable organizational and technical measures to secure the integrity and confidentiality of Personal Information. The organizational measures referred  to above includes inter alia both internal and external policies to introduce the principle of protection of personal information in the workplace, as well as the rights of data subjects.

The business of a Responsible Party before 1 July 2021, should have done the following to be able to comply:

1. POPI training / awareness sessions for the CEO / MD, managers and others tasked with the company’s POPI compliance project. Have a look on our website for the next POPIA training dates.
2. Compliance audit to be conducted company-wide per department / division to determine the current processing practices within the organization and to establish what needs to be done to be compliant.
3. Correction of contraventions as identified, and to introduce reasonable technical and organizational measures to prevent the loss or unauthorized access of Personal Information.
4. Introduction of Data Subject rights and consent in the business through policies and consent clauses / paragraphs / contracts.
5. The introduction of a PAIA manual (Promotion of Access to Information Act) that incorporates data subject rights and participation in terms of POPIA. This manual must be published on one of the company’s websites. It is also important to note that the current exemption granted by the Minister of Justice for some business to not have such a manual in place currently, expires at the end of June 2021.
6. General staff POPI policy and legislation awareness training.
7. Registration of the company’s Information Officer (the CEO, MD or any person acting in such position).
8. Follow-up assessment on compliance measures and adherence thereto.