Werks­mans out­lines a check­list for com­pa­nies to fol­low, in or­der to make sure that they are com­pli­ant.

RISKSA Magazine - - CAREER -

Au­dit the pro­cesses used to col­lect, record, store, dis­sem­i­nate and de­stroy per­sonal in­for­ma­tion: in par­tic­u­lar, com­pa­nies must en­sure the in­tegrity and safe­keep­ing of per­sonal in­for­ma­tion in their pos­ses­sion or un­der their con­trol. They must take steps to pre­vent the in­for­ma­tion be­ing lost or dam­aged, or un­law­fully ac­cessed. De­fine the pur­pose of the in­for­ma­tion gath­er­ing and pro­cess­ing: per­sonal in­for­ma­tion must be col­lected for a spe­cific, ex­plic­itly de­fined and law­ful pur­pose that is re­lated to a func­tion or ac­tiv­ity of the com­pany con­cerned. Limit the pro­cess­ing pa­ram­e­ters: the pro­cess­ing must be law­ful and per­sonal in­for­ma­tion may only be pro­cessed if it is ad­e­quate, rel­e­vant and not ex­ces­sive given the pur­pose for which it is pro­cessed. Take steps to no­tify the data sub­ject: the in­di­vid­ual whose in­for­ma­tion is be­ing pro­cessed has the right to know this is be­ing done and why. The data sub­ject must be told the name and ad­dress of the com­pany pro­cess­ing their in­for­ma­tion. In ad­di­tion, they must be in­formed as to whether the pro­vi­sion of the in­for­ma­tion is vol­un­tary or manda­tory. Check the ra­tio­nale for any fur­ther pro­cess­ing: if in­for­ma­tion is re­ceived via a third party for fur­ther pro­cess­ing, this fur­ther pro­cess­ing must be com­pat­i­ble with the pur­pose for which the data was ini­tially col­lected. En­sure in­for­ma­tion qual­ity: the com­pany pro­cess­ing the in­for­ma­tion must make sure the in­for­ma­tion is com­plete, ac­cu­rate, up to date and not mis­lead­ing. No­tify the in­for­ma­tion Pro­tec­tion Reg­u­la­tor: when the POPI is en­acted and a reg­u­la­tor es­tab­lished, or­gan­i­sa­tions pro­cess­ing per­sonal in­for­ma­tion will have to no­tify the Reg­u­la­tor about their ac­tions. Ac­com­mo­date data sub­ject re­quests: the POPI al­lows data sub­jects to make cer­tain re­quests, free of charge, to or­gan­i­sa­tions hold­ing their per­sonal in­for­ma­tion. For in­stance, the data sub­ject has the right to know the iden­tity of all third par­ties that have had ac­cess to their in­for­ma­tion. A data sub­ject can also ask for a record of the in­for­ma­tion con­cerned. Re­tain records for re­quired pe­ri­ods: per­sonal in­for­ma­tion must be de­stroyed, deleted or ‘ de- iden­ti­fied’ as soon as the pur­pose for col­lect­ing the in­for­ma­tion has been achieved. How­ever, a record of the in­for­ma­tion must be re­tained if an or­gan­i­sa­tion has used it to make a de­ci­sion about the data sub­ject. The record must be kept for a pe­riod long enough for the data sub­ject to re­quest ac­cess to it. Cross- bor­der data trans­fer: there are re­stric­tions on the send­ing of per­sonal in­for­ma­tion out of South Africa as well as on the trans­fer of per­sonal in­for­ma­tion back into South Africa. The ap­pli­ca­ble re­stric­tions will de­pend on the laws of the coun­try to whom the data is trans­ferred or from where the data is re­turned, as the case may be. Find out if your in­dus­try reg­u­la­tor re­quires you to make any additional tweaks to your new in­for­ma­tion pol­icy in or­der to com­ply with fi­nan­cial leg­is­la­tion.

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.