The Scenario
A 35-person SA recruitment agency has never formally documented how it handles personal information. Candidates submit ID numbers, qualifications, and references via email; data sits on shared drives indefinitely. The director wants a checklist that brings the agency into POPIA-acceptable practice without enterprise tooling.
The Brief
Produce a POPIA-aligned data handling checklist for the agency. Cover collection, storage, access, retention, and disposal. Stay practical: this is for a 35-person SME, not a JSE-listed bank.
Deliverables
- A data inventory template listing the personal information categories the agency handles (CV data, ID copies, qualification copies, reference notes), the systems where each lives, and the lawful basis for processing
- A handling checklist covering: secure transfer (no email of ID numbers), storage location, access restriction, retention period, and disposal procedure for each category
- A staff guidance one-pager translating the POPIA principles into 10 day-to-day rules a recruitment consultant must follow
- A breach response section listing the steps to take if personal information is exposed: containment, internal reporting, Information Regulator notification timing, and data subject communication
Submission Guidance
POPIA compliance for an SME does not require expensive tooling. It requires habits: where data lives, who can see it, when it gets deleted. Aim for habits a real recruitment consultant can follow on a busy Friday.
Submit Your Work
Your submission is graded against the rubric on the right. If you pass, you get a public Badge URL you can share on LinkedIn. There is no draft save, so work offline first and paste your finished response here.