Why it’s crucial to know the 8 principles of POPIA - IronTree

For COVID-19 updates, visit official government website www.sacoronavirus.co.za

Why it’s crucial to know the 8 principles of POPIA

South Africa’s Protection of Personal Information Act (POPIA) came into force on 1 July 2021. The purpose of the law is to ensure that personal information is kept safely by organisations who collect it, not sold to third parties, not lost and not used or held for longer than was originally necessary.

The extent to which POPIA is going to affect your business will depend on how your data-related processes and operations align with the core principles of the law – so it’s crucial to know the principles.

These are the eight principles:

Principle 1 – ACCOUNTABILITY – the head of the company is ultimately responsible for complying

Principle 2 – PROCESSING LIMITATION – personal information usage must be lawful, with the minimal amount of information necessary

Principle 3 – PURPOSE SPECIFICATION – personal information must be collected, used and retained for a specific purpose, related to your organisation’s activity

Principle 4 – FURTHER PROCESSING LIMITATION – further processing of the information must be compatible with the original purpose for collection

Principle 5 – INFORMATION QUALITY – the personal information must be kept up to date, complete and accurate

Principle 6 – OPENNESS – there are things you need to tell the person when you collect their personal information

Principle 7 – SECURITY SAFEGUARDS – measures must be taken to prevent loss of, or unauthorised access to, personal information

Principle 8 – DATA SUBJECT PARTICIPATION – the information does, after all, belong to someone else, and he or she must be able to access it

These principles inform the actions and procedures your organisation needs to take to become, and remain, compliant with POPIA, so your compliance journey is dependent on knowing them.

What must I do to meet the principles of POPIA?

First you will need to create a compliance programme that takes all eight principles into consideration, from both organisational and technological points of view. You will start by assessing how data flows through your organisation and working out what needs to change and what needs to be implemented.

In creating your compliance programme, you will make provision for:

  • Consent management
  • Electronic marketing
  • Human resources
  • Information technology and security

Your programme will also need to:

  • Document the flow of personal and sensitive data
  • Satisfy governance requirements
  • Ensure employee awareness of data privacy
  • Provide for data subject access requests
  • Facilitate breach logging and management

The task may seem daunting at first, but it becomes straightforward with compliance software, which gives you the tools to assess how data flows through your organisation and then work out what needs to change or be implemented for your particular setup.

If you’d like to chat about what a compliance programme for your organisation would entail, we’re here to help.

Chat to our consultant

We are taking all necessary precautions around the COVID-19 situation. Our offices are closed and our team members have each been set up to work remotely in self-isolation at home. As far as possible IronTree will maintain business as usual. All our resources such as server platforms, transactional capacity, telephony and electronic communications, including video meeting facilities, have been configured in the cloud and are 100% operational. Please feel free to contact us if you require our assistance. Stay safe!
One of our team members will be happy to help answer any questions you have!
Just click the chat icon in the right-hand corner.