POPIA Implementation Guide & Checklist
Getting compliant with POPIA requires a considerable amount of work. To make it less complicated, we have prepared a summary sheet with a short explanation of each item that should be attended to, which serves as a compliance checklist.
Personal Information Impact Assessment
This impact assessment must be conducted by the Information Officer in terms of Regulation 4(1)(b) of the POPIA Regulations. The assessment is intended to highlight areas that require greater compliance from a POPI point of view.
Manual prepared in terms of the Promotion of Access to Information Act 2000
An Information Officer is required to develop, monitor, maintain and make available a Manual in terms of the Promotion of Access to Information Act 2000.
Compliance Framework and Manual in terms of POPIA
The POPIA Regulations oblige the Information Officer to develop, implement, monitor and maintain a compliance framework. This document is very important in terms of setting out how the business will comply with its obligations under POPIA.
Consent & Undertaking by Employees
Employees provide their personal information to their Employer, who in turn processes that information. In addition, Employees in the hospitality sector are exposed to personal information related to guests and should commit to maintaining confidentiality (and to compliance with the POPIA framework).
Guest Agreement regulating the processing of Personal Information
Your guests provide you with personal information from the time when they make a booking enquiry, through to passing security and registering at reception. The way in which their information is processed and/or stored is important and there must be an agreement with the guest relating to these matters.
Supplier Agreement
Many businesses in the hospitality sector outsource their booking and/or payment and/or marketing processes to third parties. It is critical that any service provider that processes a guests personal information is committed to compliance with POPIA. This document should form an addendum to any existing contract.
Privacy Policy
A Privacy Policy is an important document that regulates the company's control over personal information inputted into the website of the Company.
Letter appointing an Information Officer
If you haven't yet appointed (and registered) your information officer, it is a matter that must be attended to urgently.
Internal Awareness & Training Materials
The POPIA regulations oblige the Information Officer to hold internal awareness sessions related to POPIA. We have included a training document that is useful in terms of making staff aware of the principles behind POPIA.
Wording for Inclusion in Security Access Forms and other Registration Documents
If a data subject inputs her or his name, ID number and other information, that constitutes the Processing of Personal Information and is regulated by POPIA. We therefore recommend that these forms include a short clause providing consent to the processing for the specific purposes of, for example, providing security for that guest and all other guests.
