Print

ACCOUNTABILITY

The responsible party has implemented organisational measures that ensure authorised management is informed, involved and accountable of personal information processing operations. Measures include, but are not limited to:

  • the implementation of appropriate data protection policies;
  • formal allocation of roles and responsibilities;
  • formal reporting lines;
  • documentation of decisions impacting data protection.

 

POLICIES AND PROCEDURES

The entity reviews, on a regular basis and at least annually, the operational effectiveness of its data protection governance policies and procedures and adapts them accordingly. Policies should cover at least the following topics:

  • the record of processing activities;
  • data subject’s right;
  • the information officer’s role, responsibilities and resourcing;
  • personal information breach handling;
  • conditions for the lawful processing of personal information;
  • personal information transfers (if applicable);
  • use of operators (if applicable).

The review is:

  • performed or delegated by authorized management to resources with relevant business, legal and technical competencies;
  • documented and exceptions are followed up upon;
  • approved by the organisation's management.

 

RECORD OF PROCESSING OPERATIONS

The responsible party reviews and approves on a regular basis and at least annually, or when significant changes in the data privacy landscape of the organisation occur, the record of the personal information processing operations under its responsibility to ensure completeness and accuracy of the documented processing operations.

 

DOCUMENTATION OF PROCESSING OPERATIONS

The organisation has documentation of its personal information processing operations that contains, at least, and for each processing operation:

 

DOCUMENTATION OF THE OPERATOR'S PROCESSING

The organisation has documentation of all categories of processing operations carried out on behalf of its responsible parties that contains, at least, and for each category of processing operation:

 

DATA SUBJECTS' RIGHTS

The organisation has implemented measures to ensure that:

 

APPOINTMENT OF AN INFORMATION OFFICER

An information officer with adequate resources, is appointed.

The organisation has implemented measures that:

  • ensure that the information officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal information;
  • ensure that the information officer is supported by the entities management in performing his/her tasks, in particular by providing time and resources necessary to carry out those tasks and access to personal information and processing operations, and to maintain his/her or her expert knowledge;
  • ensure that the information officer does not receive any instructions regarding the exercise of his/her tasks. He or she shall not be dismissed or penalised for performing his/her tasks. The information officer shall directly report to the highest management level of the responsible party or the operator;
  • ensure that data subjects can contact the information officer with regard to all issues related to processing of their personal information and to the exercise of their rights under POPIA;
  • ensure that the information officer is bound by secrecy or confidentiality concerning the performance of his/her tasks;
  • ensure that the information officer is not involved in tasks and duties that could result in a conflict of interests.

 

CONTACT US for more details of the compliance criteria.