With the Protection of Personal Information Act (POPIA) now in force in South Africa you’ve probably – hopefully – made some headway towards compliance by:
- looking at how data flows through your company
- gaining consent when you collect a subject’s personal details
- improving your cyber security
- amending your operator agreements
- putting a breach management process in place
- devising a system to manage subject access requests
What are subject access requests?
Under POPIA, a subject access request (SAR) is a right of access that enables an individual to ask an organisation if it keeps personal data about him/her – and for what purpose – and to request a copy of it. The data subject also has the right to ask who their data has been shared with, and how long it will be kept for. The subject can ask for the data to be amended, deleted or moved to a different organisation.
SARs can be made verbally, in writing, and even via social media. When you (as the organisation who holds the information) discloses the requested information, you need to do so securely according to the regulation.
Carrying out an SAR
Carrying out a SAR manually can be time-consuming to complete, especially if the personal data you hold:
- is not digitized (i.e. it’s printed on paper invoices, in various paper files)
- is not all in one place:(i.e. it could be in your email system, account records, address books)
So, finding the data is one thing, and then responding to it in a way that meets with POPIA compliance is another.
How long have you got to respond?
POPIA stipulates that you must respond to a SAR as soon as reasonably possible, preferably within a maximum of 30 days. When you already have a demanding job to do, responding to a SAR can get in the way, yet it’s a mandatory task for keeping your compliance with the law.
It’s also important that you keep a record of your responses so that they’re traceable proof of your compliance.
All these steps can be time-consuming especially when you have many customers who may be making a SAR. If you’re responding manually, you’ll need a dedicated employee to manage the requests from receipt to delivery.
Since time equals money, would it not be far easier if you could respond using an automated process?
Automating the SAR process
Dedicated software is available for automating the process of receiving and responding to SARs. The dual benefit is that it helps you to be compliant with the regulation while also saving you the time – and money – it would take to deal with SARs manually.
However, you can’t make use of an automated process if a few things aren’t already in place. For your data to be “automate-able” you’ll first need to:
- Use case management software to receive, record, and respond to the request.
- Digitize all the personal information.
- Use a tool to find and collect data in all possible storage spaces such as hard drives, emails, apps, and presentations.
- Use text analytics to exclude business-sensitive information
- Create a way to share the information securely
With an automated service, you’ll have access to a pre-built SAR form you can link to from any website or application. You’ll also receive alerts when a new subject access request comes in and reminders to respond to it so you don’t miss the regulated response deadline.
If you’d like to talk about subject access requests, give us a shout here.