A unique compliance framework
Introducing POPICheck Confused about what POPI is, what you are responsible for, where to start and what to do? First Digital have developed a unique compliance framework and toolset that simplifies the process and assists you in completing your POPI journey with no stress
Do you have POPI paralysis?
Use POPICheck to help you get compliant. POPICheck provides a framework that helps companies make sense of the compliance requirements, by providing a structured, guided approach to the process.
Ease of Access
POPICheck is a cloud based, Software as a Service (SaaS) solution, which requires zero hardware or software – only internet access and a browser. Just signup, login from anywhere and start your journey towards POPI compliance.
No training required
POPICheck has a simple interface that is extremely intuitive and easy to use. Guided assessments mean that no POPI knowledge is required.
Industry standard content
All POPICheck content such as questions, answers and corrective actions were developed in conjunction with industry experts, are field tested and are fully POPI compliant.
Visual dashboards and
Our visual dashboards give a bird’s eye view of overall assessment progress and help decision makers identify key actions quickly by allow them to drill down to break deadlocks. Summary reports can be printed or downloaded for distribution
Save money and time
POPICheck will allow you to drive your POPI compliance initiative and save costs and time by reducing your reliance on expensive external consultants. It also expedites and streamlines the process and eliminates much of the guesswork company’s face.
Includes 70 POPI templates
POPICheck includes 70 POPI aligned policy templates that have been developed and tested in the field. They cover all areas and include templates, samples, worksheets and forms.
The Protection of Personal Information Act 4 of 2013 (“POPI“) was signed into law in November 2013. The provisions of the Act came into effect on 1 July 2020 with the grace period ending on 1 July 2021. Organisations must ensure that they comply with the POPI Act as the Information Regulator will start enforcing the POPI Act when the grace period ends.
The purpose of POPI is to ensure that all South African institutions act responsibly when collecting, processing, storing and sharing another entity’s personal information. The POPI legislation confers upon data subjects rights of protection and the ability to exercise control over:
when and how they choose to share your information (requires your consent)
the type and extent of information they choose to share (must be collected for valid reasons)
transparency and accountability on how their data will be used (limited to the purpose) and notification if/when the data is compromised
providing them with access to your own information as well as the right to have their data removed and/or destroyed should they so wish
who has access to their information, i.e. there must be adequate measures and controls in place to track access and prevent nauthorised people, even within the same company, from accessing your information
how and where their information is stored (there must be adequate measures and controls in place to safeguard your information to protect it from theft, or being compromised)
the integrity and continued accuracy of your information (i.e. your information must be captured correctly and once collected, the institution is responsible to maintain it)
It is important to note though that this right to protection of “personal information” is not just applicable to natural persons but any legal entity, including companies. While consumers now have more rights and protection, organisations are considered “responsible parties” and have the same obligation to protect other parties’ personal information. As a company this would include protecting information about your employees, suppliers, vendors, service providers, business partners, private and public (government) bodies, sole proprietors, traders and juristic persons.
An operator as defined in the Act means a person who processes personal information for a responsible party in terms of a contractor mandate, without coming under the direct authority of that party. Operators would include all service providers, suppliers and vendors, e.g.IT, internet and network providers, accounting and auditing services, banks, payroll administrators, courier/messenger services, and archiving companies.
The circumstances where POPI will not apply include the following:
Processing of personal information not entered on a record;
Where information collected is de-identified or encrypted;
The protection of national security;
The prosecution of offenders;
Where the public body is the cabinet or court
In certain circumstances, journalistic or artistic pursuits
It is clear that there are rare instances where POPI will not apply and it is the interests of organisations to comply: the advantages include the building of trust with employees, suppliers and clients rather than risking reputational harm or worse. In addition, the maximum penalties for non – compliance range from fines not exceeding R 10 million to 10 years’ imprisonment. There is also the risk of being subject to investigation and potentially being stripped of trading licences.
Ultimately, POPI could be very beneficial for South Africa, despite the expected costs of securing personal information. The costs should be seen as an investment for South Africa organisations to improve their worth to international investors. If POPI is recognised overseas and is seen in the same light as GDPR, then the chances are there will be a spin – off for local businesses.
The increasing sophistication of cyber-attacks means that organisations should assume they have already been breached, and take a proactive, multi-layered approach to mitigating risk.
Most important to bear in mind is that responsibility can be delegated, but not accountability.
What is POPICheck?
It is a cloud-based rapid assessment tool that helps organisations gauge their readiness for compliance with the POPIA Act.