Protection of Personal Information Policies, Procedures and Practices

///Protection of Personal Information Policies, Procedures and Practices
Protection of Personal Information Policies, Procedures and Practices 2017-12-07T07:00:58+00:00

Every organisation should have good protection of personal information (POPI) or data protection policies, procedures and practices. Some people call it a Data Privacy Policy or Data Protection Policy.

Some people refer to standards, but this is not the term used in data protection law. Standards are often included in codes of conduct, rather than policies. Just to be clear this is not an internal employee Privacy Policy that deals with how an organisation processes the personal information of your employees. This is also not a Data Protection compliance policy.

Protection of personal information policies, procedures and practices should regulate the way in which employees (and maybe operators) process personal information with the aim of protecting it. The policy must dovetail with your organisation’s other policies and policy framework. Often a POPI or Data Protection Policy is part of an Acceptable Use of IT Policy or the issues are covered in other policies.

The target audience should be all employees who process personal information, but especially managers. And maybe operators.

Why are they important?

It is an important part of complying with data protection law. If the Information Regulator decides to fine you, it must consider whether you failed to operate good protection of personal information policies, procedures and practices. The fine could be up to R10 million. If you want to reduce a possible fine you might get, you need to operate good protection of personal information policies, procedures and practices.

How we can help you?

  • Put a POPI Policy or Data Protection Policy in place by asking us to draft one for you. It must fit in with the rest of your organisation’s other policies and policy framework.
  • Update your organisation’s existing policies to deal with data protection by asking us to review and add to your existing policies. Sometimes this can be easier than trying to draft a new one.
  • Check whether your existing policies are up-to-date and in line with latest trends by asking us to do a high-level review of one or many.

What should be in a Data Protection Policy?

The often have some general procedures. And then deal with some specific areas, like:

  • Paper records
  • Retaining personal information
  • Email and personal productivity software
  • Remote access
  • Laptops and other mobile storage devices (incl. Mobile Phones, PDAs, USB memory sticks, External Hard Drives, etc.)
  • Using wireless networks
  • Data transfers and encryption
  • Posting of paper documents
  • Appropriate access and audit trail monitoring
  • Disposal of paper and media
  • Incident response

Characteristics of good policies

They should be:

  • short and to the point
  • in plain and understandable language
  • well structured
  • consistent
  • in accordance with and in line with the latest laws and rules
  • clear on what is permitted and what is not
  • specific, relevant and applicable to the target audience


If you are interested, please complete the form on the right or enquire now. We will contact you to find out more about your requirements and give you a quote.