What if I told you that the Information Regulator is fond of health checks? Would you envision something as scary (to many) as a tooth extraction or blood test, or would you envision what it actually is: a POPIA Compliance Assessment? We’ve learned a lot over the last year about how the regulator plans to enforce POPIA. We learned about pre-investigation notices, information notices, and enforcement notices. We learned about the regulator’s approach to data breaches. We even learned that the regulator will not hesitate to take on government departments and other state entities. Very interestingly, we also learned about the power of a POPIA Compliance Assessment. The regulator showed us that they will use this compliance assessment to knock on the door of any organisation, and ask questions about what that organisation is doing to comply with POPIA.
What does a POPIA Compliance Assessment entail?
To answer the above question, I’d like you to picture, for me, a dentist coming to knock on your door and examine your molars. Picture your dentist emailing you a letter that asks you to take pictures of your teeth and package those pictures into a report of what you have been eating and what you have been doing to take care of your teeth.
The regulator’s letter, while as scary (if not scarier) as a visit to the dentist, is not impossible to respond to…
Some of our clients have already received these letters from the regulator. The letter, while as scary (if not scarier) as a visit to the dentist, is not impossible to respond to or honour. In it, the regulator typically asks you to address the following about your POPIA compliance:
- whether you have appointed a designated (or deputy) Information Officer;
- the personal information you’re processing;
- the data protection measures you have in place;
- the policies you have in place to help ensure good data protection; and
- the training you have provided to your employees and others in your organisation.
Why does the regulator want to do a compliance assessment?
The regulator does these compliance assessments to determine whether an organisation is compliant with POPIA (section 40(1)(b)(vi)). There does not need to have been a complaint by a data subject or some other third party. You could receive the letter when the regulator learns of the processing that your organisation generally does, and wants to know more about the data protection measures you have in place. We believe that the regulator will most likely focus on the organisations that do a lot of processing and have a big profile. Typical examples of these include the big players, the banks, credit bureaus, and other financial services providers. But this does not mean that your organisation will not receive a letter requesting a compliance assessment, so be prepared!
Can we help you answer the regulator’s health check?
In short, yes. We have already been helping a number of clients based on the specific notices they’ve received from the regulator. We even have a module in our data protection programme called resolving data protection disputes. It contains an overview of the different kinds of disputes that you can expect in a data protection context, especially disputes with the regulator. In the module, we break down what disputes with the regulator entail, and talk about a pre-investigation notice, an enforcement notice, and much and more…
