The responsible party has implemented organisational measures that ensure authorised management is informed, involved and accountable of personal information processing operations. Measures include, but are not limited to:
- the implementation of appropriate data protection policies;
- formal allocation of roles and responsibilities;
- formal reporting lines;
- documentation of decisions impacting data protection.
POLICIES AND PROCEDURES
The entity reviews, on a regular basis and at least annually, the operational effectiveness of its data protection governance policies and procedures and adapts them accordingly. Policies should cover at least the following topics:
- the record of processing activities;
- data subject’s right;
- the information officer’s role, responsibilities and resourcing;
- personal information breach handling;
- conditions for the lawful processing of personal information;
- personal information transfers (if applicable);
- use of operators (if applicable).
The review is:
- performed or delegated by authorized management to resources with relevant business, legal and technical competencies;
- documented and exceptions are followed up upon;
- approved by the organisation's management.
RECORD OF PROCESSING OPERATIONS
The responsible party reviews and approves on a regular basis and at least annually, or when significant changes in the data privacy landscape of the organisation occur, the record of the personal information processing operations under its responsibility to ensure completeness and accuracy of the documented processing operations.
DOCUMENTATION OF PROCESSING OPERATIONS
The organisation has documentation of its personal information processing operations that contains, at least, and for each processing operation:
- the name and contact details of the responsible party and, where applicable, the joint responsible party and the information officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal information;
- the categories of recipients to whom the personal information have been or will be disclosed including recipients in third countries or international organisations;
- transfers of personal information to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
- the envisaged time limits for erasure of the different categories of information;
- a general description of the technical and organisational security measures to ensure a level of security appropriate to the risk of the processing.
DOCUMENTATION OF THE OPERATOR'S PROCESSING
The organisation has documentation of all categories of processing operations carried out on behalf of its responsible parties that contains, at least, and for each category of processing operation:
- the name and contact details of the sub-operator(s) and of each responsible party on behalf of which the operator is acting, and the information officer;
- the categories of processing carried out on behalf of each responsible party;
- where possible, a general description of the technical and organisational security measures to ensure a level of security appropriate to the risk of the processing;
- where applicable, transfers of personal information to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers of personal information to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards.
DATA SUBJECTS' RIGHTS
The organisation has implemented measures to ensure that:
- a contact point (e.g. information officer) has been established for receiving data subjects' requests for exercising their rights, that is easily reachable;
- a system is implemented to record requests and ensure their timely execution and documentation;
- for rejected requests, the justification of the reject is documented and communicated to the data subject (or the responsible party).
APPOINTMENT OF AN INFORMATION OFFICER
An information officer with adequate resources, is appointed.
The organisation has implemented measures that:
- ensure that the information officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal information;
- ensure that the information officer is supported by the entities management in performing his/her tasks, in particular by providing time and resources necessary to carry out those tasks and access to personal information and processing operations, and to maintain his/her or her expert knowledge;
- ensure that the information officer does not receive any instructions regarding the exercise of his/her tasks. He or she shall not be dismissed or penalised for performing his/her tasks. The information officer shall directly report to the highest management level of the responsible party or the operator;
- ensure that data subjects can contact the information officer with regard to all issues related to processing of their personal information and to the exercise of their rights under POPIA;
- ensure that the information officer is bound by secrecy or confidentiality concerning the performance of his/her tasks;
- ensure that the information officer is not involved in tasks and duties that could result in a conflict of interests.
CONTACT US for more details of the compliance criteria.