Governance matters for POPI and PAIA Act Compliance for SMEs

The foundation of good governance lies in assigning responsibilities for activities that will contribute to effective governance. It is no different when establishing governance mechanisms for laws such as the Protection of Personal Information (POPI) and the Promotion of Access to Information (PAIA) Acts.

The first step in preparing for compliance with these Acts is to identify the elements of governance that will be required to prepare for and maintain an appropriate level of compliance with the Acts.  In principle, it is best to start a POPI Compliance Preparation Project (CPP) which incorporates PAIA. The project should aim to understand your current level of readiness for compliance with the Acts, identify the relevant stakeholders, assign responsibilities for carrying out compliance preparation tasks and ensure that these are completed within an agreed timeframe.

In many larger businesses there is a Board of Directors, Management Executive Committee and functional or departmental managers who make up the main layers of senior management who are involved in good governance practices. For the small or medium business the reality is that there is often only one level of management: the small business owner. Whatever your size of business there should a formal, written commitment to comply with the POPI Act and PAIA. The SME owner should appoint a project manager who will be responsible for identifying project team members as well as to allocate project tasks to them as part of your compliance project. In many cases the Project Manager role will be undertaken by the business owner in person.

During the CPP, roles and responsibilities for managing the processes for maintaining compliance once the project has been completed should be defined. There is an essential role required by both the POPI and PAIA Acts, namely the Information Officer. By default, this is the designated head of an organisation, typically the CEO of an organisation. The POPI and PAIA Acts make provision for the appointment of Deputy Information Officers to whom the Information Officer can delegate the day to day tasks of managing compliance activities. This individual’s role may even be carried out by an external service provider, already a common practice in smaller financial services businesses.

To assist with good governance it is useful to have a comprehensive, structured assessment of good governance. This of course can be applied to other aspects of your SME business, not just POPI/PAIA. In our work with our clients we have identified as many as 30 POPI/PAIA Governance elements for consideration.

These governance commitments may seem very daunting but laying the right foundation for roles and responsibilities, and the related tasks for these will go a long way towards establishing a compliance capability for the POPI and PAIA Acts. Don’t try to reach for perfection in the first phase of your compliance journey, rather establish reasonable and appropriate organisational and technical measures in line with your risks as this is all the POPI Act asks for.

PRACTICAL TIP: Check on the list of exemptions on the SAHRC web site (www.sahrc.org.za) as you may not need to compile a PAIA manual even though you need to comply with other aspects of the Act.

Acknowledgement: This article was written by Mr John Cato, IACT-Africa in collaboration with Dr Peter Tobin. It is a revised version of a similar article that appeared in Residential Estate Industry Journal, Vol 3, 2016.