Since the bill’s inception in 2009, PoPI has finally been signed into law by the president. Though the effective date has not been set, it’s a matter of time and we now know the final state of the act.
It is therefor imperative; if you have not started already, that you start your compliance effort now. (Click here to view the act : http://keyphase.co.za/media/popi/popi_act_sa_2013.pdf)
This piece of legislation is by no means a toothless tiger. The penalties in the law are very clear, and very severe. Consumers are also wizening up, and soon your clients will start asking you about your state on PoPI.
So if you have not started, where to start and what to do?
PoPI through it’s 8 principles can be practically summarized into three areas:
- Obtaining data subject consent
- Maintaining a data subject interaction and information register
- Creating and maintaining a controlled environment
The law very clearly states that consent must be obtained from a data subject when the organisation collects, processes or stores information about the data subject. It remains the responsibility of the responsible party, in this case the legal practice, to prove consent was obtained. So when implementing your consent process, make sure that:
- The consent received is valid – ie that it’s a valid and signed document
- Ensure consent is obtained for all transactions, so check the consent forms generated against the files you opened in your financial system.
- Ensure you store it, for the full duration of the period that you store the data subject’s information
- Ensure it is available, as a data subject can request you at any time to proof consent.
- Ensure your process allows for consent to be revoked, as a data subject can at any stage revoke his consent, which may of course result in the cancellation of the transaction.
A data subject can at any stage request detail of the information and its related sources from an organisation. While the client file is still in your office, you can refer to the file for the detail, however, when the file is in the archive, ensure you have a data register of the information you have. Also, use your data register to make records of any data subject interaction, such as when corrections were requested, etc. Keep in mind, the responsibility to satisfy the data subject’s request, remains solely the responsibility of the legal practice.
The final piece is the control environment. Ensure you create, and more importantly, maintain, a control environment. This is done by implementing an Information Security Management System, which is a set of policies, processes and procedures, to ensure that you maintain a safe environment for information. For details on this, you can refer to the guidelines issued by the Law Society.
It is time. It’s in your interest, and more so, in the interest of your clients. And, don’t only ask “how do I keep my client information secure”, also ask other organsations, “how do you keep MY information secure” !
Contributed by KeyPhase.