Kingswood’s – Road To Compliance

The Kingswood Golf Estate (KGE) management team embarked on a POPIA and PAIA Compliance Preparation Project in May 2021 in order to establish appropriate measures for protecting the personal information of homeowners, residents, visitors and other stakeholders in a lawful and secure manner.

Why was the project started?

KGE management understood the importance of protecting the personal information for which they are responsible and for ensuring that a high level of compliance with the Protection of Personal Information Act (POPI Act/POPIA) was achieved. This was particularly important as the enforcement date of the law was drawing near. It was also important that all stakeholders were confident that their personal information was being protected in a professional and lawful manner.

What did the POPIA project cover?

The road to POPIA compliance was travelled using a fourphase methodology, the four phases being the Initiate, Assessment, Consideration and Translate phases.

What were the key aspects of the project journey?

In the Initiate phase, the start of the journey, a project team consisting of the HOA management team – namely Willem Jacobs, Lize Van Heerden, Masadi le Roux, as well as John Cato and Jose Cardoso from specialist consulting firm IACT-Africa – was established.

The project was overseen by Willem as the information officer and project owner. A project charter and plan were set out in which the key objectives and milestones were defined for the project. These were regarded as the roadmap and rules of the road for the project.

The Assessment phase included the completion of multiple assessments. These were necessary in order to gain an understanding of the status of compliance with POPIA and to identify the impact of POPIA requirements on KGE. Key assessments included:

• Identifying what personal information is held by KGE, where it is stored, who has access to it and who processes it;
• Which service providers provide services that include the processing of personal information and whether the agreements with them include duties for protecting this information;
• Assessing the lawfulness of the processes where personal information is collected, processed and shared – these included new owner, visitor, employee and other stakeholder processes;
• Identifying what contracts and polices were in place in order to assess potential changes or additions to these;
• Assessment of the security of personal information in all its forms, i.e. electronic, hard copy, verbal, etc.;
• An assessment was conducted of risks to personal information, both physical and non-physical risks;
• The KGE website was assessed in order to determine if it met privacy, access to information and security requirements.

The Consideration phase considered the observations and learnings from the Assessment phase and provided recommendations for redressing the shortfalls identified.

In other words, a gap analysis report was produced.

The final phase, the Translate phase (the last mile), was conducted in order to translate the recommendations from the Consideration phase into appropriate POPIA and PAIA compliance measures. These included:

• The formal appointment of the information officer, Willem Jacobs, through an appointment letter;
• Establishing a framework of privacy and personal information security policies and notices;
• Applying changes to processes such as new owner, tenant, visitor, contractor and employee registration processes;
• Implementing additional contracts with service providers whose services include personal information in order to ensure that they commit to protecting the personal information they process – these include the security company, IT service providers and property-related service providers;
• Introducing additional employee compliance documents;
• Implementing additional technical measures in the IT systems in order to add stronger information protection;
• Introducing a personal information risk management practice covering physical and non-physical risks to personal information;
• Introducing an ongoing POPIA compliance plan – this is very important as the POPIA project is only the start of the journey for protecting personal information.

What benefits were obtained?

Looking back over the journey, it can be said with confidence that the benefits below have been obtained:

• An appropriate POPIA and PAIA compliance framework has been developed, which will be valuable to KGE from a business practice perspective and as evidence of compliance in the event of an assessment being conducted by the Information Regulator. In practice, KGE has achieved a healthy level of POPIA and PAIA compliance;
• Enhanced privacy and information security measures have been implemented, which bring benefits in protecting personal information and other information such as financial information;
• Enhanced service provider contact management measures have been established, which will give KGE legal recourse should a breach of personal information occur through deficiencies in the service provider’s information security practices;
• Personal information security risk management practices have been introduced, which will increase the scope of KGE’s current risk management practice;
• Last but not least, a new way of thinking about handling personal information has been introduced into the KGE HOA team, which will go a long way to giving residents and visitors confidence that their personal information is being protected in a secure and lawful manner.

At the time of writing this article, the KGE POPIA project is more than 90% complete. Once the project has been completed, a POPIA Ready Certificate will be issued by IACT-Africa. Formal training for the HOA team and key stakeholders will also be conducted in the new year.

The successful completion of the POPIA project demonstrates the commitment that KGE management has made to compliance with the new and demanding legislation. It can honestly be said that the road to POPIA compliance has been worthwhile, even if it has seemed tiring and tedious at times.