start with why
- That personal information that is collected and the source thereof.
- Name and address of the responsible party.
- The purpose for which the information is collected.
- Whether the personal information is supplied on a compulsory or voluntary basis.
- What will happen if the information is not provided.
- Stating any law that requires that certain information be processed.
- Stating whether the information provided will be shared with a third party or transferred cross border.
- Other information such as the right to have access to their information.4
can we learn anything from GDPR?
General Data Protection Regulation (GDPR) has been applicable since May 2018 in the European Union and is similar to POPIA. Section 13 of the GDPR makes provision for similar disclosures as POPIA’s Section 18.
the next step
- Make this policy your own.
#myprivacypolicy. Do not just blindly copy another entity’s policy. See this as an opportunity to express your company culture and earn your customers’ trust. The CISCO Data Privacy Benchmark Study 2020 reports that 74% of respondents experienced improved customer loyalty and trust as a spin-off to investing in compliance with privacy regulation10. If you deal with individuals and entities that really care about their privacy and are willing to take steps to protect their data privacy, you may find that you lose customers due to non-compliance with data privacy legislation.
- Speak your data subjects’ language.
Consider your target audience and tailor your statement accordingly. Again, take a leaf from the book of financial services providers who have to apply principles of Treating Customers Fairly (TCF) in all aspects of dealing with clients. The information that you provide must be clear, fair, and appropriate to your target group. So, use plain language and be transparent.
- Support from management
The tone is set from the top and it is important that the management structure, be it the board of directors, CEO or MD of an entity express their public support for compliance with the act and the principles it seeks to advance. You may remember the article written by Rici van Schalkwyk from Wauko in April on values and company culture post pandemic. “Everything rises and falls on leadership”.11 Whether the principles in POPIA are embedded in a company’s culture will depend on the leadership.
- William Shakespeare, Romeo and Juliet.
- A data subject is of course those people and businesses who the personal information relates to that you are processing (see Section 1 POPIA).
- A responsible party is a public or private entity or other person that collects and otherwise process personal information (see Section 1 POPIA).
- Please refer to Section 18(1) of POPIA for a detailed description of the information that has to be disclosed.
- Section 18(2) of POPIA.
- Board Notice 80 of 2003 as amended
- Section 3(1)(c), Section 4(1) and Section 5 of the General Code of Conduct.
- John C Maxwell