POPIA Compliance Implementation Strategy
eStudy (Pty) Ltd (“eStudy (Pty) Ltd”/ “We” / “Us”) places a high premium on the privacy and personal information of our employees, customers, affiliates, service providers and any other third-party with whom we engage or contract. As such, we have recognised the importance of deploying a comprehensive data protection compliance program to ensure that our day-to-day activities comply with the Protection of Personal Information Act, 2013 (“POPIA”) and other potentially applicable data protection and privacy laws. We seek to process the personal information of any third parties in a responsible and lawful manner and are also taking appropriate steps to ensure that our service providers and suppliers do the same.
The purpose of this notice is to inform our stakeholders of the proactive steps we are taking to comply with POPIA and prevailing data protection and privacy laws, as well as to create appropriate awareness for the steps which we will be taking in future.
Background & Objectives of the Compliance Program
In anticipation of the full enforcement of POPIA in South Africa, we initiated a legal data protection and privacy compliance project with the following objectives:
To execute a company wide gap analysis/impact assessment to evaluate our data processing infrastructure and identify areas of risk in relation to compliance with prevailing data protection and privacy laws, such as POPIA.
To deploy an internal training and awareness program to lay a proper foundation for the implementation of a standardised compliance framework.
To implement practical legal measures and documentation with the following objectives:
To give effect to the responsibilities and duties of our Information Officer.
To create a compliance policy framework which codifies acceptable policy standards and business processes to ensure that we always endeavour to process personal information and data in general in compliance with the provisions of POPIA and prevailing data protection and privacy laws.
To establish an internal culture of data protection and privacy compliance, hold our employees, suppliers and service providers accountable, and ultimately manage our compliance risks effectively.
Importance of the Program
Compliance with prevailing data protection and privacy laws pose significant operational challenges. We have recognised the challenges associated with implementing appropriate compliance strategies, without making everyone’s lives unnecessarily difficult. To this end, we are developing and deploying a compliance framework which will:
Enable us to comply with the conditions for the lawful processing of personal information as set forth in terms of POPIA.
Allow the establishment of clear, standardised processing principles and businesses processes within which to foresee, identify and deal with information security and data processing risks.
Enables us to stay operational and mitigate our risks in the event of an incident occurring.
Identify the obligations imposed upon us as a responsible party, and which will hold our employees, suppliers and service providers accountable.
Foster a culture of data protection and information security compliance.
Practical Steps and Implementation Strategy
To give credence to our compliance efforts, we are executing short-term, medium-term, and long-term objectives and will be ensuring that on both operational and business levels, we are implementing the following:
Information / Deputy Information Officer Appointments
Appointing an Information Officer and Deputy Information Officer(s), who are executing their broader obligations and responsibilities in terms of POPIA. One of the most important of these responsibilities is facilitating ongoing internal awareness and training. We will be deploying various awareness and training interventions throughout the course of coming months, which will take the form of interactive workshops, online training courses and micro-learning interventions.
A PAIA Manual
We accept that the Promotion of Access to Information Act, 2000 (PAIA) is just as important as POPIA and as such, we have developed a comprehensive PAIA Manual in terms of Section 51 of PAIA. This Manual clearly sets out the process through which any data subject can engage with us to request access to information.
Terms and Conditions
Any data subject who engages with us should be fully aware that such engagement is subject to certain terms and conditions. These terms and conditions clearly set forth the types of personal information we process and the manner in which we process it. Our Information Officer will equip our various business units with standard terms and conditions to implement pursuant to various contractual engagements with data subjects.
Information Notices and Consent Forms
In accordance with Sections 11 and 18 of POPIA, we must establish a lawful justification for the processing of personal information, and we must use our best endeavours to always inform data subjects of any occasion whereby which they provide us with their personal information, as well as the purpose for which we would be processing such information. We may also need to get their consent to process their information (consent is not always necessary and it should be a last resort). We will be deploying tailored privacy notices and consent mechanisms.
Data Sharing Agreements and Protocols
To ensure that we implement the provisions of POPIA which deal with the sharing of personal information effectively, we need to ensure that we share data in accordance with the terms of prescribed data sharing agreements and that everyone is made aware of clear, standardised business processes and procedures which must be followed in respect of the sharing of personal information with third parties. In this regard, we will be deploying standard data sharing agreements and standard operating procedures (SOP’s) which are to be applied when sharing data with third parties.
Technical Information Security Policy Framework, Policies and Protocols (SOP’s)
We have recognised that the best legal and operational policies won’t protect our systems if those policies, and the procedures which flow from them, are not implemented effectively and adhered to. Therefore, we are using a tailored digital compliance dashboard which will enable access to the latest Information Security Policies and SOP’s. The implementation of this compliance framework is key to ensure that we implement the appropriate technical and security safeguards necessary to adhere to prevailing data protection, privacy laws and quality standards.
To give effect to these outcomes, our Information and Deputy Information Officer(s) will be engaging with you to initiate a systematic information gathering process so that we are able to execute this comprehensive implementation strategy.
We reiterate that we are required to take the privacy and information security of anyone whose personal information and data we process very seriously. Therefore, the purpose of this notice is to lay a proper foundation for the execution and implementation of our compliance strategy. Although we will be providing business and operations with the necessary practical compliance tools to give effect to our legal compliance obligations, we want to ensure that everyone within our organisation appreciates what is required of us, as well as the fact that we are committed to maintaining a comprehensive compliance framework in the administration of our various business processes.