Five steps for an employee-first approach to POPIA

Information integrity and protecting employee information is high on the agenda for remote working

Discussions around the consumer impact of the Protection of Personal Information Act (POPIA) have been taking place for years. Now, with the Act coming into effect on 1 July 2021, it is important to develop a company culture of privacy protection and reinforce the need for information integrity, starting from management level and filtering down.

It is especially valid in a world of remote working and cloud-first approaches for payroll and HR data to be safely stored without the event of it being lost or accidentally deleted, and accessible only to individuals who are authorised to handle it.

All information gathered on employees is strictly to be used according to the intended purpose of collection, unless there is a legal need or permission is granted from the employee themselves to make use of it for other purposes.

Cloud-based HR and payroll solution provider PaySpace provides a simple five-step framework for implementing POPIA from an HR perspective:
1. Appoint an information officer: The first step to compliance is to appoint an information officer or an employee who can act as an  information officer responsible for company and customer information. They are responsible for guiding the organisation through the POPIA process as well as compliance.

2. Create awareness and buy-in: Effective compliance can be achieved with the commitment of the entire organisation. Educate employees to understand data privacy and their individual role in compliance.

3. Conduct a personal information impact assessment: When it comes to data collection, it is important to ask and understand the following questions to highlight gaps that exist in the business procedure:

  • What data is collected and how it is collected;
  • The purpose of the data being collected and who collects it;
  • What it is used for and how will it be stored and processed; and
  • How will it be retained and destroyed.

4. Develop or update procedures and policies: Put the impact assessment findings into action by assessing and revising procedures and policies, like:

  • Employment contract changes;
  • Supplier agreement changes;
  • Marketing practices (how data is collected, how consent to store this data is obtained from the owner); and
  • Updating or developing policies like data privacy policies, information security policies, access control policies and data handling policies.

5. Implementation and dedication: The compliance framework must be implemented, monitored and maintained as an ongoing business practice. Management and all employees must adopt and adhere to the steps in order to maintain compliance and avoid fines or even lawsuits in some instances.