Abstract
Background: The urgency to enforce the Protection of Personal Information (POPI) Act is building up within South Africa, triggered by the appointment of the Information Regulator for POPI on 01 December 2016. However, for data management practitioners, the absence of a practical guideline on how to legally process personal information of employees, customers or other juristic persons in line with the POPI Act poses a day-to-day technical challenge, especially for those embarking on a maiden journey to comply with the POPI Act.Objectives: The objective of this article is to explore and analyse the unique perspectives of data management professionals who are vested with the responsibility of driving the successful enforcement of the POPI Act within their respective organisations, with the end goal of formulating a practical guideline for the enforcement of the POPI Act.Method: To achieve the objectives of this research article, semi-structured interviews were conducted with a purposive, convenience sample of 16 data management professionals within companies in South Africa. A recording of their views was obtained through one-on-one interviews and a group interview.Results: From the semi-structured interviews, group interview and response to the questions, several findings and learnings were elicited. Zooming into these findings showed close similarities in the actions taken by data management professionals operating in a similar industry. Based on these results, a high-level sequence of steps on how to enforce the POPI Act was formulated.Conclusion: Based on the formulated sequence of steps, it is safe to conclude that the actions of data management professionals can be used to create a practical guideline to enforce the POPI Act. However, to standardise these guidelines across the data management function, there is a need to perform testing with a wider spectrum of data management professionals.
Highlights
The need to comply with the Protection of Personal Information (POPI) Act is gaining momentum in South Africa, following the appointment of the information regulator by the President of South Africa on 01 December 2016 (SAICA 2017)
There is a general awareness of the POPI Act among the data management professionals sampled, the challenge and complexity to enforce the POPI Act seems to vary from organisation to organisation and largely depends on the type of personal information they use in their business operating model
Some measures are being taken by most of the data management professionals sampled in this study to comply with the POPI Act
Summary
According to KPMG (2016): The POPI Act, is a piece of legislation designed to protect any personal information which is processed by both private and public bodies (including government). According to Workpool (2017), the purpose of the POPI Act is to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and transmitting personal identifiable information by holding them accountable, should they abuse or compromise the personal information in any way. According to the POPI Act as gazetted in Government Gazette No 37067 of 26 November 2013 (Department of Justice 2013), the POPI Act presents eight conditions under which personally identifiable information (PII) can be legally stored, processed and transferred, namely:. Based on Mprem (2016), personal identifiable information includes information about a data subject’s religious or philosophical beliefs; race or ethnic origin; trade union membership; political persuasion; health or sex life; and criminal behaviour or biometric information.
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call