Mapping 'Security Safeguard' Requirements in a Data Privacy legislation to an International Privacy Framework: A Compliance Methodology

It is commonplace for organisations to collect personal information to be processed and stored on their systems. Until recently, there was no comprehensive legislation that addressed the 'processing' of personal information by organisations in South Africa. The Protection of Personal Information Bill ("POPI") was signed into law in November 2013 and is expected to come into effect, later this year (2015). POPI is informed by international data privacy legislation. The implications are that it will be incumbent for organisations to revisit how they 'handle' peoples' personal information. This can be a daunting task as evidenced by countries that still find it a challenge to comply with data privacy laws that have been enacted there, a while ago. This article proposes a methodology to comply with POPI. The Generally Accepted Privacy Principles (GAPP) is an American/Canadian framework containing international privacy requirements with best practices. Both, POPI and GAPP address a common purpose: 'How personal information is collected, used, retained, disclosed, and disposed.' GAPP is reputed as a solid benchmark for good privacy practice, comprising of ten overarching privacy principles which yields a set of criteria for effective management of privacy risks and compliance. Much of the provisions in POPI is addressed in GAPP. A key condition (Security Safeguards) in POPI stipulates what aspects of personal information must be adequately secured, with limited insight on how to go about this process. Accordingly, this article proposes a methodology to fill this gap. All of the provisions under ' Security Safeguards' in POPI is mapped onto GAPP, thereby contextualising GAPP to facilitate compliance with South Africa's data privacy legislation and to the same end, complying with international privacy laws. This framework could also be implemented as a checklist/auditing document, guiding the organisation in its implementation of data privacy and POPI compliance.