RMA Gears up for GDPR and the POPI Act
You may have heard the acronyms GDPR and POPIA floating around the business but what do they mean for us at RMA?
Why is GDRP important to RMA?
GDPR are the European Data Protection Regulations and the primary legal privacy framework in the European Union (EU). GDPR affects how personal information must be processed to ensure the protection of the rights and freedoms of natural persons in the EU. This is relevant for us because we currently have beneficiaries (pensions) based in EU countries and members with employees working in EU countries.
Microsoft Azure and Office 365 (hosted in EU data centres) are used for sending emails, storing data and security checks. MIMECAST is used for email archiving and for checking and filtering of SPAM and viruses in emails. Staff information is also saved to Microsoft ONE drive. Which means that, RMA has data stored in the EU.
Although RMA is not established in the EU and may not be marketing to or monitoring living persons in the EU, but because Microsoft is established in the EU it will be subject to the relevant provisions of the GDPR and may impose certain of these obligations on RMA when the parties enter into data processing agreements.
Why is POPIA important to RMA?
POPIA is the Protection of Personal Information Act 2013 which provides the protection of the right to privacy for natural and juristic (companies) persons. POPIA introduces requirements for the processing of personal information by parties like us. The POPIA Regulations were finalised and published in the Government Gazette on 14 December 2018 with the effective date yet to be announced.
What is personal information?
Personal information means information that includes but is not limited to:
• Contact details of the person - e-mail address, physical address, telephone number, etc
• Biometric information of the person – blood type, fingerprints, etc
• History of the person – education, medical, financial, criminal or employment
• Demographic information of the person – ID, age, gender, race, ethnicity, birth date, etc
• Private correspondence sent by the person – any private and confidential correspondence
• Opinions of and about the person - the views or opinions of another individual about the person
What is RMA doing to ensure compliance with these privacy laws?
With regards to the GDPR, all contracts entered into between RMA and Microsoft have been reviewed and submitted for discussion between the parties.
The key requirements of POPIA are the implementation of a compliance framework and the performance of personal information impact assessments covering the processing of personal information by RMA and its service providers.
The compliance framework will ensure that the actions taken by responsible parties to protect the rights of data subjects are effective. A successful framework will establish a solution for designing and implementing measures, safeguards and processes for responsible parties which are needed to comply with POPIA, and which information officers can use to monitor the status of compliance. To comply with the requirements, we have launched the GDPR and POPIA Project Phase 1.
GDPR and POPIA Project Phase 1
This project kicked off during the month of February 2019 and the focus areas for Phase 1 of the GDPR and POPIA Compliance Project for the first 6 months are currently in progress within Membership, Claims, Medical Benefits and ICT.
We will keep you informed of all upcoming changes. If you need further information on GDPR and POPIA, you may chat with our Legal team.