The information regulator has published a Readiness plan for the implementation of POPIA. Many people think that this might be a readiness plan that organisations can use to get ready for the POPIA deadline but unfortunately, it isn’t. I got really excited when I found the document – thinking that it might give us a blueprint to implement POPIA. But I’m afraid that’s not what this document is for.
The Operational Readiness Plan (ORP) published by the information regulator relates to the information regulator, and not other organisations trying to comply with POPIA. This plan will not help you to plan how you will implement the necessary controls to comply with POPIA. It might help you to know what the information regulator is planning to do over the next 12 months, which might help you plan. You might want to streamline your plans with those of the regulator.
A POPIA readiness plan or privacy framework
If you are a responsible party looking for a readiness plan for your organisation, this is essentially what our data protection programme is. Our programme gives you the steps organisations need to take. It is a type of checklist or framework but with so much more.
What action is the regulator planning to take?
The readiness plan contains a table setting out for each section of POPIA what action the regulator has to take, who will take it and by when. It looks pretty solid. Here are some examples of the information regulator’s plan.
Prior authorisation
- It plans to develop a pro-forma form for a responsible party to apply for prior authorisation from the information regulator (section 57). The CEO Executive: POPIA is responsible for getting this done by 31 March 2021.
- It plans to develop an application form to authorise a responsible party to process special personal (section 27(2)). The CEO Executive: POPIA and Exec: LPRITA is responsible for getting this done by 31 March 2021.
Register your information officer
It plans to develop an electronic portal to register information officers by 31 March 2021 (section 55(2)). Note that the information regulator plans to develop a form for prior authorisations and an electronic portal for information officers. There will be thousands of organisations asking for prior authorisation and the regulator will need an electronic portal for it.
Stopping unfair discrimination
It plans to compile of list of laws and measures designed to protect or advance persons or categories of persons disadvantaged by unfair discrimination (section 29). The CEO Executive: POPIA and Exec: LPRITA is responsible for getting this done by 31 March 2021.
Detailed rules for the processing of health information
It plans to publish regulations in terms of section 32(6) to prescribe detailed rules for the processing of health information by certain responsible parties under sections 32(1)(b) and (f). The responsible parties include insurance companies, medical schemes, medical scheme administrators, managed healthcare organisations, administrative bodies, pension funds, employers or institutions working for them. The DOJ& CD Legislative Development Branch and Members are responsible for getting this done by 1 July 2021.
Enforcement committee
It plans to establish an enforcement committee by 31 March 2021 (section 50).
31 March 2021 is a key date
You will notice that 31 March 2021 is a key date by which the information regulator plans to do many things. This will only leave responsible parties three months to do what they need to do by the POPIA deadline. They are going to be three very busy months.
The purpose of the readiness plan for the implementation of POPIA
“The purpose of this Operational Readiness Plan (ORP) is to identify performance tasks and creating deliverables throughout the implementation period, to ensure the operating environment is prepared to effectively promote and protect the right to privacy as well as the right of access to information. The ORP will assist the Regulator to determine the readiness state of the organization and defines how close this environment is to the desired readiness state.”
It goes on to say that “The objective of the ORP is to critically look at the organization’s capacity to successfully deliver or to perform its functions under POPIA, as amended, and initiates appropriate actions or measures to bring a current state of readiness to one of confidence in long-term success of the organisation.”
You can download a copy of ORP and go through it.