POPIA: ready for subject access requests?

With the Protection of Personal Information Act (POPIA) now in force in South Africa you’ve probably – hopefully – made some headway towards compliance by:

  • looking at how data flows through your company
  • gaining consent when you collect a subject’s personal details
  • spelling out your data privacy policy
  • improving your cyber security
  • amending your operator agreements
  • putting a breach management process in place
  • devising a system to manage subject access requests

What are subject access requests?

Under POPIA, a subject access request (SAR) is a right of access that enables an individual to ask an organisation if it keeps personal data about him/her – and for what purpose – and to request a copy of it. The data subject also has the right to ask who their data has been shared with, and how long it will be kept for. The subject can ask for the data to be amended, deleted or moved to a different organisation.

SARs can be made verbally, in writing, and even via social media. When you (as the organisation who holds the information) discloses the requested information, you need to do so securely according to the regulation.

Carrying out an SAR

Carrying out a SAR manually can be time-consuming to complete, especially if the personal data you hold:

  • is not digitized (i.e. it’s printed on paper invoices, in various paper files)
  • is not all in one place:(i.e. it could be in your email system, account records, address books)

So, finding the data is one thing, and then responding to it in a way that meets with POPIA compliance is another.

How long have you got to respond?

POPIA stipulates that you must respond to a SAR as soon as reasonably possible, preferably within a maximum of 30 days. When you already have a demanding job to do, responding to a SAR can get in the way, yet it’s a mandatory task for keeping your compliance with the law.

It’s also important that you keep a record of your responses so that they’re traceable proof of your compliance.

All these steps can be time-consuming especially when you have many customers who may be making a SAR. If you’re responding manually, you’ll need a dedicated employee to manage the requests from receipt to delivery.

Since time equals money, would it not be far easier if you could respond using an automated process?

Automating the SAR process

Dedicated software is available for automating the process of receiving and responding to SARs. The dual benefit is that it helps you to be compliant with the regulation while also saving you the time – and money – it would take to deal with SARs manually.

However, you can’t make use of an automated process if a few things aren’t already in place. For your data to be “automate-able” you’ll first need to:

  • Use case management software to receive, record, and respond to the request.
  • Digitize all the personal information.
  • Use a tool to find and collect data in all possible storage spaces such as hard drives, emails, apps, and presentations.
  • Use text analytics to exclude business-sensitive information
  • Create a way to share the information securely

With an automated service, you’ll have access to a pre-built SAR form you can link to from any website or application. You’ll also receive alerts when a new subject access request comes in and reminders to respond to it so you don’t miss the regulated response deadline.

If you’d like to talk about subject access requests, give us a shout here.


Step 1 of 2

  • Sign up for your
    Free Trial

    Please complete the form to sign up for your free trial. For all our other products, please contact us for a consultation.

  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

The reseller zone is currently out getting a facelift as we look to integrate it with our backup platform, as it stands you can overview your clients on our new backup console. If you don't know what console that is, please reach out to us.

  • Hidden
  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

  • I have read and understand IronTree Internet Services (Pty) Ltd's privacy notice.

We are taking all necessary precautions around the COVID-19 situation. Our offices are closed and our team members have each been set up to work remotely in self-isolation at home. As far as possible IronTree will maintain business as usual. All our resources such as server platforms, transactional capacity, telephony and electronic communications, including video meeting facilities, have been configured in the cloud and are 100% operational. Please feel free to contact us if you require our assistance. Stay safe!
One of our team members will be happy to help answer any questions you have!
Just click the chat icon in the right-hand corner.