South Africa: Cracking Down On Privacy: Are You Prepared For A Data Privacy Audit?

In the last few months, the Information Regulator has intensified efforts to investigate and enforce compliance with data privacy and protection laws among responsible parties. In terms of section 77H(1) of PAIA, read with sub-regulation 14(2) of the PAIA Regulations, and section 40(1)(b)(vi) of POPIA, the Information Regulator has the power to conduct compliance assessments on its own initiative or upon request, to determine whether a responsible party generally complies with the provisions of PAIA and POPIA.

It has been almost three years since POPIA came into force, and it is assumed that organisations have had ample time to get their ducks in a row when it comes to POPIA and PAIA compliance. But have they? Ensuring compliance within an organisation is the information officer's responsibility, and an information officer can be held personally liable for gross infringements of PAIA provisions. It is important that information officers are adequately equipped to take on the role.

Besides implementing and publishing a PAIA Manual as well as drafting and adopting a privacy policy, there are other things that need to be done to ensure compliance. With so many developments that take place when it comes to processing data, an information officer has to be proactive and regularly complete compliance exercises. It may be a bit nerve-wracking to receive a notice of assessment, but it is not difficult to show that an organisation is compliant.

During a compliance assessment, you can expect the Information Regulator to request the following to demonstrate compliance with PAIA and POPIA:

• the organisation's PAIA manual prepared in line with regulations;
• the organisation's POPIA compliance framework and impact assessments;
• whether a designated information officer or a deputy information officer has been appointed;
• policies in place to help ensure data protection;
• procedures in place that are aligned with industry practice regarding processing personal information lawfully;
• proof that the organisation submitted its annual report to the Information Regulator in terms of section 83(4) of PAIA; and
• proof that employees have been provided with POPIA and PAIA training.

This list does not encapsulate all that is required to prove that an organisation is complying with data protection laws, but it is a starting point.

There seems to still be much apathy towards regulators in South Africa and regulators' enforcement powers under various statutes. However, the Information Regulator's latest initiatives have shown that it has both bark and bite. These compliance assessments are good reminders that compliance is not just a tick-box exercise, nor is it a once-off event. As such, organisations need to stay ready in case the Information Regulator comes knocking on their organisation's door because it is no longer a matter of if, but when.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.