The Protection of Personal Information – or POPI – Act regulates how organisations handle personal information, whether it’s for individuals or other businesses. This includes how the information is stored, processed and shared.
The deadline to be fully compliant with POPIA requirements is 1 July 2021. Many areas, such as Operations, IT, Marketing and HR will need to align their processes to ensure the business is compliant with POPI. When POPI will apply, and when not.
If you fail to comply with the POPI Act, whether intentional or accidental, you can be liable for an administrative fine of up to R10 million. If your clients are impacted by a data breach, POPIA even empowers them to take civil action for damages.
As part of The Maniacs Group Data Protection Programme, we have developed a POPIA compliance framework “PACK AND STACK” that contains all the latest features to get your information and that of your clients, secure.
Personal information is any information that may reasonably be used to identify a particular individual. Some examples of personal information are ID numbers, email addresses, phone numbers and addresses, ages and dates of birth, medical records, criminal records, financial information and employment history.
Photos or video recordings that show individuals – whether in business or social settings – also constitute personal information.
Information that’s about individuals but that can’t possibly be used to identify them doesn’t qualify as personal information. Examples are anonymous survey results and demographic statistics.
Any organisation that obtains, processes, stores or shares personal information is required to comply with the POPI Act. For example, if your business keeps the information about employees and/or customers, it has to comply.
In practice, this means very few South African companies are exempt.
To comply with the Act, businesses must implement proper systems for getting individuals’ consent and for deleting or destroying personal information once it’s no longer required. They should add disclaimers to physical and digital forms where applicable, and update their terms and conditions to communicate what information they possess and how it will be used, stored and, if applicable, shared.
Businesses must also ensure that any personal information they collect is adequately protected from data breaches and theft. This may involve updating systems used to collect and store personal information, and implementing new security products and protocols. Ideally, it should also involve training all staff on data protection and privacy requirements. Non-compliance with POPI can result in a hefty fine and/or imprisonment for up to 12 months.
This is dealt with in section 69 of the POPI Act. No direct marketing may be conducted electronically unless the data subject has consented thereto. The marketer may approach the subject only once to obtain consent.
Anyone who uses electronic direct marketing must disclose the identity of the advertiser and provide the consumer with an opt-out route. The rules of personal information collection apply here as well – any person whose information is sought must be offered the opportunity to consent thereto.
If the data subject feels that his/her rights in terms of the POPI Act have been infringed upon, he/she may approach the Information Regulator (IR), who facilitates the implementation of the act.
If a data breach occurs or personal information is compromised in some way, the responsible organisation is required to inform the affected parties, including the Information Regulator, immediately.
The nature of the breach and steps being taken to rectify the situation must be explained, if possible. A subsequent investigation will determine if all reasonable measures were taken by the business to protect the information
Consent is closely related to two other important issues – disclosure and signature. The three are often so closely related that you can’t actually deal with one without the others. Often consent is obtained electronically and in this context electronic consents, disclosures and signatures become a very important issue.
The legal definition of consent;
POPI defines consent to be “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information“.
This is the measure or test that you must meet if you need to get consent. The words specific and informed are of particular relevance. They are however open to some interpretation.
Some key points regarding consent and POPI:
The Information Officer of an organisation is an important person when it comes to information. By default, every single organisation in South Africa has one. The law (more particularly the Promotion of Access to Information Act or PAIA) automatically designates a person in each organisation as an officer. Not the Chief Information Officer, but an Information Officer. They perform very different roles.
At a point in time, it was referred to as the Information Protection Officer, but the correct term is Information Officer. Some people also refer to the Privacy Officer, but in our view, this is the incorrect terminology. The role of a Privacy Officer is something else and may encompass the Information Officer. But the two should not be confused. The officer performs the same role as a Data Protection Officer under the GDPR.
The Information Officer is an important person because they are responsible for ensuring that the organisation complies with PAIA. An information officer of a responsible party (or body) must:
They are also responsible for ensuring that the organisation complies with the POPI Act. They are a key person in any project or programme. An information officer of a responsible party (or body) must:
The PACK ‘N STACK Toolkit has been designed for small to large-sized businesses and people with no prior experience in the POPI Act.
The Toolkit has been designed by our specialists to make sure you and your client’s personal data is secure and aids against cyber attacks.
The Packages can be customised according to your requirements and specifications.
It includes the following:
Let us assist you with a free audit of your environment – just fill in your details and we’ll contact you