The South African Information Regulator has been handing out a lot more s89 assessment notices recently. It’s great to see the Regulator building momentum, and the growth of data protection compliance across industries because of it. But many organisations are still unsure about how to handle these notices and the assessments that follow. If this includes you, don’t worry. Let’s take a breath, and walk through what an assessment notice is and what you should do about it.
What is a s89 assessment notice?
The best way to handle a fear is to understand it. With that in mind, it’s important to know that a s89 assessment is not an investigation based on a complaint, or an enforcement notice. Likewise, receiving a s89 assessment notice does not mean you’re staring down the barrel of a fine – not yet.
A s89 assessment is simply the easiest way for the Information Regulator to run a compliance assessment on how an organisation processes personal information. This can be prompted by a request from a third party (or yourself), or even the Regulator’s own initiative.
How to handle a s89 assessment notice?
Don’t panic
Firstly, it’s crucial to stay calm. An assessment notice doesn’t imply that the Regulator thinks you’ve done something wrong. At its most basic, it’s a routine process to check you compliance with your data protection obligations. Treat it seriously, but look at it as an opportunity to show your commitment to protecting personal information. Better yet, it’s your very own, Regulator-guided gap analysis.
Be respectful
Remember that the Information Regulator is simply doing its job. Being defensive and antagonistic in the face of the s89 assessment notice and any follow-up questions will just harden the Regulator’s stance against you. Remember that data protection law is principle-based – you don’t need to prove that you’re flawless, just that you’re taking reasonable steps in the right direction. Playing open cards with the Regulator will help them see that you’ve done what you believe is right, and you’re willing to hear their thoughts.
Prepare your records
Preparation is key. You’ll need to provide the Regulator with as much information as they need to satisfy their questions. If you’re not sure what information will help them, just ask – this will show that you’re committed to helping them streamline their process.
The kind of information the Regulator requires can vary greatly, depending on what exactly they want to check. In our experience, though, it’s a good idea to make sure that you have an up-to-date record of processing activities (ROPA) and relevant policies (including your privacy policy and incident response policy). You should also be ready to show practical evidence that these policies are actually followed, which could include training records and internal or external audits.
How can we help you?
Getting a s89 assessment notice can be daunting, but you don’t have to handle it alone. We can help you:
- start the assessment well by crafting a prompt and detailed reply to the Regulator’s letter;
- avoid fines by helping you prepare and present your data protection practices effectively;
- display your compliance by ensuring that your policies (like your privacy policy and incident response policy) are up-to-date;
- be compliant by helping you map your activities, and compile or update your record of processing activities;
- avoid risks by conducting data protection gap analyses or audits;
- improve awareness by conducting executive briefings and staff training on data protection.
If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.
