In an ideal world, your Information Officer (or Data Protection Officer under GDPR) comes from a legal background and is familiar with privacy regulation and other related laws. In reality though, particularly for SMEs, this is rarely the case.
If you are a business owner or CEO, you may not even realise that YOU are the Information Officer! In any event, your Information Officer needs to be trained with regards to Data Protection so that they can respond appropriately when faced with incidents or requests.
What is an Information Officer
While I will dive into this in more detail in another post soon, essentially the Information Officer is responsible for any requests for information as put forward in the Promotion of Access to Information Act (PAIA) and Protection of Personal Information Act (POPIA), as well as management of an organisations data protection exercises.
They are where “the buck stops” when it comes to data, the management thereof, and responding to any sort of incident or breach that may will happen to a companies data.
Who is your Information Officer
First and foremost, your Information Officer is not your CIO, even if they share the same words. The Promotion of Access to Information Act (PAIA) in South Africa mandates that every organisation, whether public or private, must have an Information Officer. Following on from this, the Protection of Personal Information Act (POPIA) deems your Information Officer to be the person referred to in PAIA. For a private company (such as a Closed Corporation or Company) the Information Officer is:
- the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer; or
- the person who is acting as such or any person duly authorised by such acting person
What this means is that, by default, the CEO or equivalent is the Information Officer, unless you have appointed another representative in your company as such (in writing).
What does your Information Officer need to know?
An Information Officer has a number of duties as per regulations. If we look at POPIA, the act states that the responsibilities of the Information Officer are as follows:
- encourage compliance by the body with the conditions for the lawful processing of personal information in terms of POPI;
- deal with requests made to the body in terms of POPI;
- work with the Regulator in relation to investigations conducted in relation to the body; and
- otherwise ensure compliance by the body with the provisions of POPI.
These were further clarified in the regulations that were released a year ago in December 2018, which state a number of more granular responsibilities, in which the Information Officer must ensure that:
- a compliance framework is developed, implemented, monitored and maintained;
- a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- a publicly available manual is developed, monitored, maintained and made available as prescribed in terms of POPIA and PAIA;
- internal measures are developed together with adequate systems to process requests for information or access thereto; and
- internal awareness sessions are conducted regarding the provisions of POPIA.
Where do you start?
The above is a lot to take in and if you, like many other Information Officers, are not from a legal background it can be daunting to even start on this route. The above does provide some clarity, but there are many other aspects to being an Information Officer; such as managing incidents, continuous auditing of controls, and advisory both internally and externally.
To learn what is required of you, it’s important to proactively obtain training. As such, Ross G Saunders Consulting is offering a one-day Masterclass on Data Protection, taking you from the basics through to subjects such as data processing relationships, incident response and more. Our next Masterclass runs on the 29th of January 2020 in Sandton, tickets are available at R1,750 per person at Quicket. In this interactive Masterclass we will cover (among other things):
- The principles of POPIA and conditions of GDPR
- The effect of Identity Theft on your clients
- The anatomy of Incidents and Breaches
- Incident Response Plans
- Liability and Responsibility in Data Privacy legislation
- Data Processing Agreements
- Acceptable Usage Policies
- How easily breaches happen
- Cyber and physical security
- Data Flows and Standard Operating Procedures
- Required internal policies
- Practical Quick Wins
Secure your seat today, it is vital that you and your Information Officer know your responsibilities.
Ross G Saunders Consulting is a niche data protection consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.