By now many organisations have realised and accepted that the POPIA (Protection of Personal Information Act) is a continuous data privacy protection and compliance journey instead of a mere tick box exercise.

As the public and customers become more privacy-savvy, data subject access requests are on the rise. Customers want to know what information brands hold of them, what they have consented to and how their data is being managed. The rise of privacy centres on website portals is just one example of how companies are responding to give customers and users more transparency and control.

Processes for responding to such requests are a focus point – however, the focus should rather be on how to leverage this as an opportunity to build trust with customers and make privacy central to your brand’s value proposition.  

The legislation that guides data subject participation

To understand data subject access requests in South Africa, organisations need to consider another piece of parallel legislation to POPIA, namely the Promotion of Access to Information Act (PAIA).

PAIA predates POPIA and has been a part of the legislative landscape since 2002. As explained by Adv. Pansy Tlakula in the PAIA Guide foreword: “The aim of PAIA is to foster a culture of transparency and accountability in public and private bodies. It does that by giving effect to the right of access to information and actively promoting a society in which the people of South Africa have effective access to information to enable them to more fully exercise and protect all of their rights and also to realise South Africa’s goals of an open and participatory democracy.”

Even though PAIA’s application is appropriately broad, and includes a broad spectrum of information, it intersects with POPIA in its aim to uphold transparency and the right of access to personal information using the mechanisms set out in the PAIA manual.

How should an organisation approach data subject access requests?

Under Section 23 of POPIA, a data subject has the right to request information from a responsible party by means of a data subject access request. For example, such a request can be submitted to the responsible party to determine whether the responsible party holds personal information about the data subject.

We often talk about POPIA Greenhouse Factors. While the ultimate objective is to establish compliance with the provisions of POPIA, giving attention to these Greenhouse Factors is cardinal foundation laying work as it cultivates accepted behaviour within an organisation that will purposefully lead to good privacy-first behaviour within a legal framework.

Two of these factors include a centralised system and proactively communicating with data subjects.

1. Do not underestimate the value of a centralised system

Just as critical as the legality of complying with a data subject access request, is a centralised system that underpins the processing and record-keeping of personal information. As change managers in a data privacy era, our focus remains on helping organisations to not only cultivate behaviour that secures personal information and sensitive data, but also to optimise behaviour for record-keeping and retrieval.

Gone are the days of stationary, excel-based ‘systems’. Information that is correctly indexed on a secure system, such as a cloud-based CRM linked to online forms, instead of fragmented on various personal drives or Excel sheets, takes care of two birds with one stone and offers Information Officers with enough control via automation and form completion notifications to keep track of access requests. The risk of missing an access request comes with consequences, and so a proper system is essential.

2. Seize every opportunity to engage with data subjects transparently

Seize the opportunity to act with transparency and to respect personal and organisational data. Ideally an organisation should create opportunities to reach out to data subjects and present them with the opportunity to update or correct their personal information in an online ‘preference centre’. What the organisation has done right here is to eliminate a future reactive response to an aggravated customer wishing to access or amend his or her data, and to terminate the relationship with the brand. This process not only shows an organisation’s premeditated commitment to protecting the customer, but also strengthens the existing relationship and ultimately builds trust.

Pre-empting opportunities for data subject participation is only one of the ways that allows organisations to meaningfully engage and operate as compliant juristic citizens. There has never been a better time for organisations to be well-versed in the existing data privacy legislation while translating legal obligations into practical implementations.