Protection of Personal Information Act (POPIA)

Protection of Personal Information Act (POPIA) – Where to now?

POPIA has now been in force since 1 July 2021. While some organisations have completed their POPIA compliance programmes and implemented a number of privacy processes and controls, others have implemented 'quick fixes' due to tight deadlines, resource constraints, and the overall complexity of implementing POPIA. The latter approach tends to result in key compliance requirements not being met, weak controls, and unremedied gaps. We are also aware that some organisations have not yet started with their compliance programmes.

Wherever you are on your POPIA compliance journey, PwC can help.

PwC’s Privacy practice follows a market-leading multidisciplinary approach to POPIA compliance and has some of South Africa’s leading privacy professionals on the team. Team members include certified privacy professionals, lawyers, and specialists in areas such as cybersecurity, risk assurance, governance, forensics, data, and internal audit.

We have extensive experience in advising on POPIA requirements, having worked across industry sectors and with clients that range from international businesses and globally recognised brands to smaller-sized and domestically focused enterprises.

To see the extensive POPIA-related services that PwC offers click here.

Subscribe to receive privacy related content

Woman reading about the new Popia act on her computer

Issues you may be facing

  • Having started your POPIA implementation programme, but due to the pressure of compressed timelines, constrained resources and the overall complexity of implementing POPIA, you focused on compliance first but now need to further improve your privacy processes and introduce new efficiencies.
  • Not knowing where to start with implementing POPIA in your organisation.
  • Not having the full understanding of the impact POPIA has for your organisation.
  • Prioritising your implementation activities to comply with POPIA within the 12 months grace period.
  • Not having a view of what data you process and why.
  • Not having an idea where your data is stored and if it's secured. 
  • Not having a view of who data is shared with and why.
  • Not understanding how to maximise the value of your data in a legally compliant way.
  • Not having a view of whether your organisation is affected by other privacy laws in countries you operate out of.

 

How we can add value

We have advised and assisted many organisations, from small enterprises to large corporates, in their POPIA compliance journeys. Based on our experience in providing privacy advisory, legal and cyber security services to our clients we have defined a holistic framework for the management of privacy risk that is designed to enable organisations to leverage good practices that can be tailored to address each organisation’s unique privacy vision and risk exposure.

Gap assessment

We regularly work with clients to review the level of compliance of their implemented privacy measures against POPIA requirements. We can also assist with data mapping to understand your data footprint and the applicability of POPIA and other privacy legislation for your organisation.

The gap assessments will provide your organisation with an independent view of your privacy capabilities and gaps.

Recommendations for gaps identified are prioritisation and shared in a detailed roadmap format to guide your team with the remedial activities.

 

End-to-end POPIA implementation support

For organisations that have not completed their privacy programmes, we offer a set of accelerators that will allow for the rapid implementation of privacy measures.

Using our multidisciplinary approach we provide end-to-end support to assist organisations with all aspects of privacy compliance, including applicability assessments, data mapping, privacy procedures, notices and contractual clauses and security measures. Our approach is scalable enough to assist any organisation, irrespective of the size, from large multinational organisations to small-to-medium enterprises.

 

Technology enablement

Successful privacy programmes combine people, process and technology. Privacy management tools and technology can accelerate your privacy programme, but also help find efficiencies if you already have privacy capabilities in place.

Tools can, for example, significantly increase the level of accuracy of your data discovery activities and the impact on your staff. They can also allow for a centralised and secure management of privacy processes such as breach reporting, consent management, data subject requests and compliance monitoring.

It is important that the right privacy management tools and technologies are selected for your organisation’s unique needs and properly implemented to realise their full potential. Our team will assist you in determining the right tools for you, and that they are implemented correctly the first time.

 

Security

In meeting the requirements to implement appropriate security safeguards, our Cyber team can assist in adopting and implementing an appropriate security framework and advise you the most appropriate data protection measures to implement. We can also perform testing of the effectiveness of your Cyber controls over your most important information assets. In meeting the requirements to implement appropriate security safeguards, our Cyber team can assist in adopting and implementing an appropriate security framework and advise you the most appropriate data protection measures to implement. We can also perform testing of the effectiveness of your Cyber controls over your most important information assets.

Personal data breach management

We provide a full range of breach support offerings, covering breach preparation (including simulation testing), management and remediation.

Our team regularly develops policies and strategies for data breach management. We also advise on breach reporting and provide guidance and support during investigations by the Information Regulator, and assist with determining and undertaking remediation activities.

 

Third party management

We support clients to develop robust approaches to POPIA-compliant contracting with vendors and partners.

This includes drafting standard POPIA contractual clauses, designing playbooks for negotiating POPIA terms and implementing processes to manage vendor and partner risks arising from their access to personal data. We can also offer contract remediation and bulk review services.

 

Privacy operating models and compliance management

We work with clients to review and design the positioning of their POPIA function and interaction with other areas of their business, the roles, teams, committees and forums required to deliver successful POPIA outcomes, how POPIA compliance responsibilities will be distributed within the business, how POPIA compliance will be monitored and reported on and what documents you should develop to demonstrate accountability.

Personal Information Impact Assessments (PIIAs)

We can assist clients with conducting Personal Information Impact Assessments of new technology or changes to business processes to determine relevant POPIA compliance requirements. We can support and develop approaches to help highlight any potential issues from the design stage of these changes. We can conduct and develop PIIAs to assess proposed personal information processing activities.

Cross-border transfers

We advise clients on transferring personal information across territories. We can advise on the best option for your organisation, including the use of Standard Contractual Clauses and Binding Corporate Rules.

Data subject rights handling

We work with clients to help them develop their Data Subject Rights (DSR) handling processes and assess how to respond to specific requests and complaints.

Developing policies, standards and procedures

We have extensive experience reviewing, assessing and developing documented policies, standards and procedures for privacy. We can help assess whether you have any missing POPIA documents and whether your existing POPIA documents address compliance requirements of POPIA.

Assurance services

Our Privacy team can guide your Internal Audit team, or if you wish to co-source the assurance services to us, to perform a review of the design and operating effectiveness of your privacy measures. This will provide comfort to your Board and Audit, Risk & Compliance committee on whether your organisation is meeting its compliance requirements in terms of POPIA.

Our team will help you define the types of reviews that are appropriate for your organisation’s needs, including privacy project assurance, control-self-assessments or third party operator reviews.

POPIA compliance is an ongoing process and it can be a time-consuming undertaking. Even though the effective date has passed, the work is far from over.

PwC can walk the journey to sustainable POPIA compliance with your organisation.

Privacy Support Sevices

POPIA and other privacy laws have created a large demand for privacy professionals throughout South Africa; however, there are currently not enough skilled privacy professionals to meet this demand. This leaves organisations at increased risk of non-compliance with the law.

PwC Privacy Support aims to address the risk related to this skills shortage by providing organisations with the operational support they need to meet their POPIA compliance requirements.

Learn more about our Privacy Support Services here.


Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Charles Fischer

Charles Fischer

Principal | Digital Trust and Privacy, PwC South Africa

Tel: +27 (0) 21 529 2018

Aneesa Firfiray

Aneesa Firfiray

Senior Manager, PwC South Africa

Tel: +27 (0) 21 529 2427

Dr Kamil Reddy

Dr Kamil Reddy

Associate Director, PwC South Africa

Tel: +27 (0) 66 488 2782

Tammy Bortz

Tammy Bortz

Senior Legal Consultant, PwC South Africa

Tel: +27 (0) 83 253 3969

Hide