The Protection of Personal Information Act adds yet another obligation on businesses in the financial services sector.
Draft regulations, published on 8 September 2017, set out what will be required. Section 4 outlines the duties and responsibilities of information officers which companies will be obliged to appoint.
Subject to the provisions of section 55 of the Act, an information officer must ensure that –
| a) | a compliance framework is developed, implemented and monitored; |
| b) | adequate measures and standards exists in order to comply with the conditions for the lawful processing of personal information; |
| c) | preliminary assessments are conducted; |
| d) | a manual for the purpose of the Promotion of Access to Information Act and the Act is developed detailing— (i) the purpose of the processing; (ii) a description of the categories of data subjects and of the information or categories of information relating thereto; (iii) the recipients or categories of recipients to whom the personal information may be supplied; (iv) the planned trans-border or cross border flows of personal information; and |
| e) | a general description allowing preliminary assessment of the suitability of information security measures to be implemented and monitored by the responsible party; (e) the manual referred to in paragraph (d) is available – (i) on the website, of the responsible party; and (ii) at the office or offices of the responsible party for public inspection during normal business hours of that responsible party; |
| f) | internal measures are developed together with adequate systems to process requests for information or access thereto; and |
| g) | awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator. |
Expectations are that Popia will become effective early in 2018, so you may want to consider getting the ball rolling in respect of the above.
Click here to download the latest draft regulations
