Entangling Payroll, HR and the POPIA

1 July 2021 is a significant day for organisations in South Africa. This is the day when the Protection of Personal Information Act (POPIA), will take full effect. Companies were granted more than a year to ensure compliance with the new legislation.

Cutting out the legal lingo, what does this have to do with any payroll and HR related matters? One would think this can be casually slotted in under the cyber security column. However, data protection has everything to do with payroll and HR and this is the focus area in any business where the most sensitive information is kept and utilised.

A great deal of new local and international legislation has come into play specifically focused on the enhancement of data protection. Europe has the GDPR or General Data Protection Regulation while South Africa has the POPIA.  

With the advances in technology, data protection has become crucial, especially with the rise in cyber threats and attacks. Considering the migration to digital and the fact that many organisations have adopted remote working and therefore cloud-first approaches, highly confidential information travels through the electronic highway and in many cases even across borders. A framework to govern how this information is managed and protected is of vital importance. 

Implementing the POPIA throughout an organisation, in a manner that protects all stakeholders, can be undertaken as follows:

1.      Appoint an information officer responsible for company and customer information

The first step to compliance is to appoint an information officer or an employee that can act as an information officer. They are responsible for guiding the organisation through the POPIA process as well as upholding compliance going forward.

2.      Create awareness and buy-in within the organisation 

Effective compliance can be achieved with the commitment of the entire organisation. Educate employees to understand what data privacy is and the role that they play to remain compliant.

3.      Conduct a personal information impact assessment

When it comes to data collection it is important to ask and understand the following questions: 

−       What data is collected and how it is collected;

−       The purpose of the data being collected and who collects it;

−       What it is used for and how will it be stored and processed;

−       How will it be retained and destroyed.

Unpacking these questions will highlight gaps that exist in the business procedure.

4.      Develop or update procedures and policies 

Put the impact assessment findings into action by assessing and revising procedures and policies, like:

−       Employment contract changes;

−       Supplier agreement changes;

−       Marketing practices (how data is collected, how consent to store this data is obtained from the owner); and

−       Updating or developing policies like data privacy policies, information security policies, access control policies and data handling policies.

5.      Implementation and dedication

The compliance framework must be implemented, monitored and maintained as an on-going business practice. Management and all employees must adopt and adhere to the steps in order to maintain compliance and avoid fines or even lawsuits in some instances.

Zooming in on payroll and HR data, it is imperative that all information is safely stored without the event of it being lost or accidentally deleted, and is accessible only to individuals that are authorised to handle it.

All information gathered on employees is strictly to be used according to the intended purpose of collection, unless there is a legal need or permission is granted from the employee themselves to make use of it for other purposes.

While being POPIA compliant may seem like an endless maze, rather view it as an opportunity to protect all stakeholders and take business practices to new heights. Develop a culture of privacy protection starting from a management level, and filtering down to the rest of the company to reinforce that all information should be treated with integrity.

Avoid waiting until the last minute to act on becoming compliant, seek help from specialists and embrace the possibility that these steps can improve operations and processes, which can lead to better customer engagement and result in cost savings.