ACCOUNTABILITY

The responsible party has implemented organisational measures that ensure authorised management is informed, involved and accountable of personal information processing operations. Measures include, but are not limited to:

  • the implementation of appropriate data protection policies;
  • formal allocation of roles and responsibilities;
  • formal reporting lines;
  • documentation of decisions impacting data protection.

 

POLICIES AND PROCEDURES

The entity reviews, on a regular basis and at least annually, the operational effectiveness of its data protection governance policies and procedures and adapts them accordingly. Policies should cover at least the following topics:

  • the record of processing activities;
  • data subject’s right;
  • the information officer’s role, responsibilities and resourcing;
  • personal information breach handling;
  • conditions for the lawful processing of personal information;
  • personal information transfers (if applicable);
  • use of operators (if applicable).

The review is:

  • performed or delegated by authorized management to resources with relevant business, legal and technical competencies;
  • documented and exceptions are followed up upon;
  • approved by the organisation's management.

 

RECORD OF PROCESSING OPERATIONS

The responsible party reviews and approves on a regular basis and at least annually, or when significant changes in the data privacy landscape of the organisation occur, the record of the personal information processing operations under its responsibility to ensure completeness and accuracy of the documented processing operations.

 

DOCUMENTATION OF PROCESSING OPERATIONS

The organisation has documentation of its personal information processing operations that contains, at least, and for each processing operation:

  •  the name and contact details of the responsible party and, where applicable, the joint responsible party and the information officer;
  • the purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal information;
  • the categories of recipients to whom the personal information have been or will be disclosed including recipients in third countries or international organisations;
  • transfers of personal information to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
  • the envisaged time limits for erasure of the different categories of information;
  • a general description of the technical and organisational security measures to ensure a level of security appropriate to the risk of the processing. 

 

DOCUMENTATION OF THE OPERATOR'S PROCESSING

The organisation has documentation of all categories of processing operations carried out on behalf of its responsible parties that contains, at least, and for each category of processing operation:

  • the name and contact details of the sub-operator(s) and of each responsible party on behalf of which the operator is acting, and the information officer;
  • the categories of processing carried out on behalf of each responsible party;
  • where possible, a general description of the technical and organisational security measures to ensure a level of security appropriate to the risk of the processing;
  • where applicable, transfers of personal information to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers of personal information to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards.

 

DATA SUBJECTS' RIGHTS

The organisation has implemented measures to ensure that:

  • a contact point (e.g. information officer) has been established for receiving data subjects' requests for exercising their rights, that is easily reachable;
  • a system is implemented to record requests and ensure their timely execution and documentation;
  • for rejected requests, the justification of the reject is documented and communicated to the data subject (or the responsible party).

 

APPOINTMENT OF AN INFORMATION OFFICER

An information officer with adequate resources, is appointed.

The organisation has implemented measures that:

  • ensure that the information officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal information;
  • ensure that the information officer is supported by the entities management in performing his/her tasks, in particular by providing time and resources necessary to carry out those tasks and access to personal information and processing operations, and to maintain his/her or her expert knowledge;
  • ensure that the information officer does not receive any instructions regarding the exercise of his/her tasks. He or she shall not be dismissed or penalised for performing his/her tasks. The information officer shall directly report to the highest management level of the responsible party or the operator;
  • ensure that data subjects can contact the information officer with regard to all issues related to processing of their personal information and to the exercise of their rights under POPIA;
  • ensure that the information officer is bound by secrecy or confidentiality concerning the performance of his/her tasks;
  • ensure that the information officer is not involved in tasks and duties that could result in a conflict of interests.

 

CONTACT US for more details of the compliance criteria.

CERTIFICATION CRITERIA

POPIA certification criteria

The overall aim of certification is to give confidence to all parties that the certification target (e.g. process, service, or product) of an operator or responsible party fulfils the specified data protection requirements for certification. The value of certification is the degree of public confidence and trust that is established by an impartial and competent assessment by a third-party (e.g. POPIA Certification (Pty) Ltd).

Parties that have an interest in certification include, but are not limited to:

  1. responsible parties;
  2. customers of responsible parties whose products, processes or services are certified;
  3. operators (service providers and sub-contractors) of responsible parties;
  4. Information Regulator and other governmental authorities;
  5. non-governmental organisations;
  6. data subjects, consumers and other members of the public.

Interested parties can expect or require the responsible party to meet all the requirements (certification criteria) of the certification scheme.

Certification of products, processes or services is a means of providing assurance that they comply with specified requirements in standards and other normative documents. Some product, process or service certification schemes may include initial testing or inspection and assessment of its operators' data processing systems, followed by surveillance.

Certification criteria specify the data protection requirements (POPIA obligations) which must be met to satisfy the requirement for certification. These requirements will ensure certification in a competent, consistent and impartial manner. Certification criteria can be focused on specific processing, technologies and domains (e.g. cloud computing).

POPI compliance certificate

 

Certification of POPIA Compliance

What can be evaluated?

  • The development and implementation of a POPIA compliance framework (regulation 4a)
  • Specific business processes, services or products (section 8)
  • Selected personal information impact assessments (regulation 4(b)
  • Enablement of data subject rights (section 5). 

 

Processing activity (as per the register) Role Level 1 Organisation Level 2 Circumstances / purpose Level 3 functional application

Level 4 IT infrastructure

Recruitment Responsible party Financial institution HR department SAP-HR Windows server farm, Oracle DB
Newsletter Responsible party Financial institution Marketing CRM Cloud solution SAAS
AML/KYC Responsible party Financial institution Compliance World Check Unix servers – Oracle DB

 

What is achieved?

Assurance that:

  • The constitutional right to privacy is being respected and fulfilled.
  • Compliance with Conditions for the lawful processing of personal information.
  • Appropriate technical and organisational measures have been implemented
  • Adequate safeguards are implemented to protect data subject rights.  

 

POPIA Compliance Framework Development and Implementation

Assessment criteria focus on:

  • framework completeness
  • safeguards to protect personal information
  • capability in protecting privacy rights
  • readiness for non-compliance
  • breach notification capability.

 

Compliance with the conditions for the lawful processing of Personal Information

Assessment criteria focus on:

  • the legitimacy of the processing of personal information
  • the conditions for the lawful processing of personal information
  • the data subjects’ rights
  • the personal information impact assessments, pursuant to regulation 4(b)
  • the safeguards put in place to protect personal information
  • the obligation to notify data subjects of breaches.

 

POPIA Personal Information Impact Assessments

Assessment criteria focus on:

  • target of evaluation
  • documentation of processing operations
  • risk assessment
  • countermeasures
  • implementation of effect safeguards.

  

Preparing a Request

The responsible party must obtain prior authorisation from the Regulator prior to any processing if that responsible party plans to—

  1. process any unique identifiers of data subjects—
    1. for a purpose other than the one for which the identifier was specifically intended at collection; and
    2. with the aim of linking the information together with information processed by other responsible parties;
  2. process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
  3. process information for the purposes of credit reporting; or
  4. transfer special personal information or the personal information of children to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.

IMPORTANT: A responsible party is guilty of an offence if he/she/it does not obtain prior authorisation from the Regulator when it is required.

 Prior to making a request, the responsible must complete a personal information impact assessment. The personal information impact assessment must:

  • describe the nature, scope, context and purposes of the processing;
  • assess necessity, proportionality and compliance measures;
  • identify and assess risks to data subjects; and
  • identify any additional measures to mitigate those risks.

CONTACT US for more information and assistance with obtaining prior authorisation from the Information Regulator.

Validating Operator Assertions of Compliance

operator complianceResponsible parties must secure the integrity and confidentiality of personal information in their possession or under their control by taking appropriate, reasonable technical and organisational measures. In order to do this,  the responsible party must:

  • take reasonable measures to identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control by establishing and maintaining appropriate safeguards against the risks identified;
  • regularly verify that the safeguards are effectively implemented, and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguard.

Validating operator assertions of compliance with POPIA is an obligation that responsible parties are required to fulfil. Responsible parties should foresee that operators might not fulfil their POPIA and contractual obligations. Data subjects can hold responsible parties responsible for non-compliance of operators. They may demand financial compensation from responsible parties should operators interfere with the rights of data subjects. 

One of the appropriate, reasonable organisational measures that responsible parties can use to ensure operator compliance is auditing the measures taken by their operators. Independent auditors, with reasonable technical and organisational certification criteria, can give confidence to all parties that the certification target (e.g. process, service, or product) fulfils the data protection requirements of POPIA.

The value of certification is the degree of public confidence and trust that is established by an impartial and competent assessment by a third-party.    

CONTACT US for more information and assistance with validating operator assertions of compliance using independent, impartial certification criteria.