POPIA Compliance

Our commitment to the Protection of Personal Information Act and data protection excellence

Last updated: January 15, 2025 8 min read

Table of Contents

1. POPIA Overview

The Protection of Personal Information Act (POPIA), Act No. 4 of 2013, came into full effect on July 1, 2021, establishing comprehensive data protection requirements for all organizations processing personal information in South Africa.

Our POPIA Commitment

Kulungwana Accountants is fully committed to POPIA compliance and has implemented comprehensive policies, procedures, and technical measures to ensure the lawful processing of personal information. We view data protection not just as a legal requirement, but as a fundamental aspect of client trust and professional integrity.

1.1 Scope of Application

POPIA applies to our processing of personal information about:

  • Current and prospective clients
  • Employees and job applicants
  • Suppliers and business partners
  • Website visitors and newsletter subscribers
  • Any other individuals whose personal information we process

1.2 Key Definitions

Term Definition
Personal Information Information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person
Processing Any operation or activity performed on personal information, including collection, receipt, recording, organization, collation, storage, updating, retrieval, alteration, consultation, use, dissemination, merging, linking, restriction, degradation, erasure, or destruction
Data Subject The person to whom personal information relates
Responsible Party A person who determines the purpose of and means for processing personal information
Operator A person who processes personal information on behalf of a responsible party

2. Our Compliance Framework

We have established a comprehensive POPIA compliance framework built on the foundation of the eight processing conditions and supported by robust governance structures.

2.1 Governance Structure

  • Information Officer: Appointed to oversee POPIA compliance and serve as the primary contact for data protection matters
  • Privacy Committee: Cross-functional team responsible for policy development and compliance monitoring
  • Data Protection Champions: Designated staff members in each department to promote privacy awareness
  • External Legal Counsel: Specialized privacy lawyers providing ongoing guidance on complex matters

2.2 Policy Framework

Our comprehensive policy framework includes:

  • Data Protection and Privacy Policy
  • Data Retention and Disposal Policy
  • Data Breach Response Policy
  • Third-Party Data Processing Policy
  • Employee Privacy Training Policy
  • Client Consent Management Procedures

Continuous Improvement

Our compliance framework is subject to regular review and updating to ensure alignment with evolving legal requirements, best practices, and business needs. We conduct annual compliance assessments and implement necessary improvements.

3. Information Officer

In accordance with Section 55 of POPIA, we have appointed a qualified Information Officer responsible for ensuring compliance with the Act.

3.1 Responsibilities

Our Information Officer is responsible for:

  • Developing and implementing data protection policies and procedures
  • Monitoring compliance with POPIA requirements
  • Serving as the point of contact for data subjects exercising their rights
  • Liaising with the Information Regulator when required
  • Conducting privacy impact assessments
  • Managing data breach incidents and notifications
  • Providing privacy training and awareness programs
  • Maintaining records of processing activities

3.2 Contact Information

Information Officer Contact Details

Name: Sarah Molefe
Title: Information Officer & Compliance Manager
Email: privacy@kulungwana.co.za
Phone: +27 12 123 4567
Postal Address: 123 Brooklyn Road, Brooklyn, Pretoria, 0181

4. Processing Principles

We adhere strictly to the eight processing conditions outlined in POPIA:

4.1 Accountability

We take full responsibility for our processing activities and can demonstrate compliance through documented policies, procedures, and audit trails.

4.2 Processing Limitation

Personal information is processed:

  • Lawfully and in a reasonable manner
  • Only for specific, explicitly defined, and legitimate purposes
  • With adequate safeguards and security measures
  • By authorized personnel only

4.3 Purpose Specification

We clearly specify the purpose of processing at the time of collection and ensure that any further processing is compatible with the original purpose.

4.4 Further Processing Limitation

Further processing is only undertaken when compatible with the original purpose or when we have obtained additional consent or legal authorization.

4.5 Information Quality

We ensure that personal information is:

  • Complete, accurate, and not misleading
  • Updated where necessary
  • Verified through appropriate means
  • Corrected when inaccuracies are identified

4.6 Openness

We maintain transparency about our processing activities through clear privacy notices and readily available information about our data protection practices.

4.7 Security Safeguards

We implement appropriate technical and organizational measures to secure personal information against unauthorized access, modification, disclosure, or destruction.

4.8 Data Subject Participation

We respect and facilitate the exercise of data subject rights, providing accessible mechanisms for individuals to exercise their rights under POPIA.

5. Consent Management

When processing is based on consent, we ensure that consent is freely given, specific, informed, and unambiguous.

5.1 Consent Requirements

Valid consent must be:

  • Voluntary: Given without coercion or undue influence
  • Specific: Clearly related to particular processing activities
  • Informed: Based on adequate information about the processing
  • Unambiguous: Clearly indicating the data subject's wishes

5.2 Consent Documentation

We maintain records of:

  • When and how consent was obtained
  • The specific purposes for which consent was given
  • The information provided to the data subject
  • Any withdrawals of consent

5.3 Withdrawal of Consent

Data subjects can withdraw consent at any time by:

  • Contacting our Information Officer
  • Using unsubscribe mechanisms in electronic communications
  • Updating preferences through our client portal
  • Submitting a written request

Withdrawal Implications

Withdrawal of consent may affect our ability to provide certain services. We will inform data subjects of any such implications before processing the withdrawal and explore alternative legal bases where appropriate.

6. Data Subject Rights

We are committed to facilitating the exercise of all rights granted to data subjects under POPIA.

6.1 Right of Access (Section 23)

Data subjects have the right to:

  • Request confirmation of whether we process their personal information
  • Obtain access to their personal information
  • Receive information about our processing activities
  • Request the source of personal information where it was not collected directly

6.2 Right to Correction (Section 24)

Data subjects may request correction or deletion of:

  • Inaccurate, irrelevant, excessive, or outdated personal information
  • Personal information collected or processed unlawfully
  • Personal information no longer required for the original purpose

6.3 Right to Object (Section 11(3))

Data subjects may object to processing for:

  • Direct marketing purposes
  • Legitimate interests (subject to our assessment of overriding legitimate grounds)

6.4 Processing Requests

We process data subject requests according to the following timeline:

  • Acknowledgment: Within 7 days of receipt
  • Response: Within 30 days of receipt (extendable by 30 days in complex cases)
  • Implementation: Immediate for urgent matters, otherwise within reasonable timeframe

7. Security Measures

We implement comprehensive security measures to protect personal information against unauthorized access, modification, disclosure, or destruction.

7.1 Technical Safeguards

  • Encryption: AES-256 encryption for data at rest and TLS 1.3 for data in transit
  • Access Controls: Role-based access with multi-factor authentication
  • Network Security: Firewalls, intrusion detection systems, and secure VPN connections
  • Backup and Recovery: Encrypted backups with tested recovery procedures
  • Monitoring: 24/7 security monitoring and logging

7.2 Administrative Safeguards

  • Security Policies: Comprehensive information security policies and procedures
  • Training: Regular security awareness training for all staff
  • Access Management: Periodic review and updating of access rights
  • Vendor Management: Due diligence and contractual safeguards for third parties

7.3 Physical Safeguards

  • Premises Security: Controlled access to office premises
  • Workstation Security: Locked screens and secure storage
  • Document Security: Locked filing cabinets and secure disposal
  • Device Security: Encryption and remote wipe capabilities for mobile devices

8. Data Breach Management

We have established comprehensive procedures for detecting, responding to, and managing data breaches in accordance with POPIA requirements.

8.1 Breach Response Team

Our breach response team includes:

  • Information Officer (Team Leader)
  • IT Security Manager
  • Legal Counsel
  • Communications Manager
  • Relevant Business Unit Leaders

8.2 Response Timeline

Phase Timeline Key Actions
Detection & Assessment Immediate Identify breach, assess impact, activate response team
Containment Within 1 hour Stop the breach, preserve evidence, assess scope
Notification Within 72 hours Notify Information Regulator if required
Communication Without undue delay Notify affected data subjects where required
Recovery Ongoing Restore systems, implement improvements

8.3 Notification Criteria

We notify the Information Regulator when a breach:

  • Involves special personal information
  • Affects a large number of data subjects
  • Poses significant harm to data subjects
  • Involves systemic or repeated incidents

9. Third-Party Processing

When engaging third parties to process personal information on our behalf, we ensure adequate contractual and technical safeguards are in place.

9.1 Operator Agreements

All third-party processors must sign comprehensive operator agreements that include:

  • Clear definition of processing purposes and limitations
  • Confidentiality and security obligations
  • Data subject rights facilitation requirements
  • Data breach notification procedures
  • Audit rights and compliance monitoring
  • Data return or destruction upon termination

9.2 Due Diligence Process

Before engaging any operator, we conduct thorough due diligence including:

  • Security and privacy policy review
  • Compliance certification verification
  • Technical safeguard assessment
  • Financial stability evaluation
  • Reference checks and reputation assessment

9.3 Ongoing Monitoring

We maintain ongoing oversight of our operators through:

  • Regular compliance audits and assessments
  • Performance monitoring and reporting
  • Incident notification and response procedures
  • Annual contract reviews and updates

10. Training and Awareness

We maintain a comprehensive privacy training and awareness program to ensure all staff understand their obligations under POPIA.

10.1 Training Program

Our training program includes:

  • Induction Training: POPIA fundamentals for all new employees
  • Role-Specific Training: Detailed training based on job responsibilities
  • Annual Refresher Training: Updates on legal changes and best practices
  • Specialized Training: Advanced courses for privacy champions and IT staff

10.2 Awareness Activities

We promote ongoing privacy awareness through:

  • Regular privacy tips and updates in internal communications
  • Privacy-focused lunch and learn sessions
  • Annual Privacy Awareness Week activities
  • Privacy incident case studies and lessons learned

10.3 Compliance Monitoring

We monitor compliance through:

  • Regular privacy audits and assessments
  • Staff privacy knowledge testing
  • Privacy incident tracking and analysis
  • Client feedback and complaint analysis
  • Continuous improvement initiatives

Certification and Recognition

Our commitment to POPIA compliance has been recognized through various certifications and assessments. We maintain ISO 27001 certification for information security management and regularly participate in privacy maturity assessments to ensure continuous improvement.

Contact Our Information Officer

For any questions about our POPIA compliance program, to exercise your rights as a data subject, or to report privacy concerns, please contact our Information Officer:

Information Officer

Sarah Molefe
Information Officer & Compliance Manager
Kulungwana Accountants

Email: privacy@kulungwana.co.za
Phone: +27 12 123 4567
Address: 123 Brooklyn Road, Brooklyn, Pretoria, 0181

Office Hours: Monday to Friday, 8:00 AM - 5:00 PM

You may also lodge a complaint with the Information Regulator of South Africa:

Information Regulator:
Website: www.justice.gov.za/inforeg
Email: inforeg@justice.gov.za
Phone: +27 12 406 4818