With the countdown to comply with the Protection of Personal Information Act 4 of 2013 (POPIA) entering its last days, business owners have been advised also to ensure that their Information Officers are duly registered with the Information Regulator.
The Regulator issued a Guideline recently on the requirements and process which you can access here.
In essence, the CEO or equivalent officer of your company or any person duly authorised in writing by that officer is the default Information Officer of the business and register this appointment with the Regulator online.
This is not an insignificant position. The POPIA Information Officer must, according to the guideline, ensure that your business complies with POPIA and must deal with requests made by the Regulator or the public. For those not keen to read between the lines, the Regulator spells out further on that this means that the Information Officer is the one who must ensure that:
1. a compliance framework is developed, implemented, monitored, and maintained;
2. a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
3. a manual is developed, monitored, maintained and made available as prescribed in PAIA;
4. internal measures are developed together with adequate systems to process requests for information or access thereto;
5. internal awareness sessions are conducted regarding the provisions of POPIA, regulations made in terms of POPIA, codes of conduct, or information obtained from the Regulator; and
6. upon request by any person, copies of the manual are provided to that person upon the payment of a fee to be determined by the Regulator from time to time.
Apart from the very hefty fines and reputation-damaging backlash that can follow on a data breach, this is clearly not an insignificant position.
For assistance, contact me at email@example.com