06 December 2018

2 reasons to automate compliance management. POPIA and GDPR

Submitted by: Alexei Parfentiev
2 reasons to automate compliance management. POPIA and GDPR

POPIA was signed into law in 2013. GDPR was adopted in 2016. GDPR came into effect in 2018 and POPIA hasn’t come into force yet. EU regulation concerns every company which has at least one employee or one client who is a European citizen, while POPIA is to be complied by any responsible party domiciled in South Africa or any responsible party who uses automated or non-automated means within South Africa. GDPR covers all the EU members wherever they reside, and POPIA concerns those within the jurisdiction of South Africa only. The requirement seems to articulate clearly the limits of compliance for regional businesses making nearly each South African company subject to both sets of regulations.

POPIA makes you accountable for legal processing of personal information in accordance with the purpose. The request for user details shouldn’t exceed the needed amount or be kept more than it is necessary. Collected information is to be relevant and regularly updated. A person whose data is stored should be aware of what details are selected, why and by whom an enquiry was made.

A company which processes customer data is required to ensure that proper measures are taken to protect confidential details. A data subject can manage personal information which is used by a responsible party, remove excessive details and correct misleading facts. A person can ask for a record confirming that particular details are kept by an organisation.

POPIA has a dedicated rule set for direct marketing and automated assessment process involving data subjects.

The scope of POPIA comprises not only confidential details of individuals but also data of legal persons protecting corporate entities from information misuse.

GDPR shapes similar standards which should administer personal data usage but comprises some ideas which are not as clear in the POPI Act. Even if South African businesses comply with POPIA successfully they will need to observe GDPR requirements focusing particularly on EU rules the conditions of which seem to be more articulate. Under the GDPR a company is to provide:

  • Privacy by design and by default approach. An organisation is to implement safety techniques during the time a decision is being taken on the ways the information is going to be processed and during the usage
  • Data readability. Requested data should get structured and transparently arranged by an organisation
  • Multi-step access. Users are given the possibility to erase their personal data and learn about the safety measures which are taken in case the details are transmitted to a different country
  • Consent. Agreement comes after a comprehensible list of conditions
  • Data protection impact assessment. DPIA should be conducted in order to mitigate data protection risk

While breaches under GDPR should be reported within 72 hours POPIA doesn’t emphasise the time limit and requires organisations to announce a data leak as soon as possible.

To ensure that your business has no compliance breaches an appropriate management framework should be integrated. It is important to have accurate mechanisms in place which would evaluate the relevance of introduced policies and keep your system updated. Comprehensive approach to regulatory compliance allows you to assess whether your business processes are conducted in accordance with the recent legal acts. Thorough monitoring lets you see if there are any configuration changes and policy violation.

Many companies lack time and competence which are needed to adapt their corporate rules. Some organisations have never had any internal regulations to conform to and now they are going to face loads of data which demands to be discovered, analysed and rearranged. Software makes essential processes automated and ensures that your company functions in obedience to compliance requirements.

It is crucial to preset rigorous control over the data which is transmitted outside the corporate perimeter. If information is to be processed in a different country which has its own local regulator there are a few key points that should be observed:

  1. The transfer of user details should be transparent.
  2. A data subject has the right to:
  • Demand solid data security abroad
  • Review and correct the details if needed
  • Make sure that the time during which the information is stored is limited
  • Check and reduce if necessary the number of purposes the data can be used for

GDPR doesn’t go against local regulations, it just adds to the list of regional do’s and don’ts in case it lacks relevant points.

Intelligent risk management program comprises efficient tools to prevent your company from fines and penalties. Nevertheless, GDPR remains an intriguing issue for any non-EU country since the process of punishment mechanism still presents some misconceptions about how it should be implemented in countries all over the world. A number of questions might arise when European citizens get their data misused by a foreign organisation. That is what makes compliance an intricate problem demanding even more attention. Automated management systems are installed to save your time and effort.