POPI Act Information, Tips and Guidance

Are You POPI Compliant?

The Protection of Personal Information – or POPI – Act regulates how organisations handle personal information, whether it’s for individuals or other businesses. This includes how the information is stored, processed and shared.

The deadline to be fully compliant with POPIA requirements is 1 July 2021. Many areas, such as Operations, IT, Marketing and HR will need to align their processes to ensure the business is compliant with POPI. When POPI will apply, and when not.

If you fail to comply with the POPI Act, whether intentional or accidental, you can be liable for an administrative fine of up to R10 million. If your clients are impacted by a data breach, POPIA even empowers them to take civil action for damages.

As part of The Maniacs Group Data Protection Programme, we have developed a POPIA compliance framework “PACK AND STACK” that contains all the latest features to get your information and that of your clients, secure.

What is personal information?

Personal information is any information that may reasonably be used to identify a particular individual. Some examples of personal information are ID numbers, email addresses, phone numbers and addresses, ages and dates of birth, medical records, criminal records, financial information and employment history.
Photos or video recordings that show individuals – whether in business or social settings – also constitute personal information.
Information that’s about individuals but that can’t possibly be used to identify them doesn’t qualify as personal information. Examples are anonymous survey results and demographic statistics.

Who has to comply with the POPI Act?

Any organisation that obtains, processes, stores or shares personal information is required to comply with the POPI Act. For example, if your business keeps the information about employees and/or customers, it has to comply.
In practice, this means very few South African companies are exempt.

How does POPI affect your business?

To comply with the Act, businesses must implement proper systems for getting individuals’ consent and for deleting or destroying personal information once it’s no longer required. They should add disclaimers to physical and digital forms where applicable, and update their terms and conditions to communicate what information they possess and how it will be used, stored and, if applicable, shared.
Businesses must also ensure that any personal information they collect is adequately protected from data breaches and theft. This may involve updating systems used to collect and store personal information, and implementing new security products and protocols. Ideally, it should also involve training all staff on data protection and privacy requirements. Non-compliance with POPI can result in a hefty fine and/or imprisonment for up to 12 months.

What does POPI mean when it comes to direct marketing?

This is dealt with in section 69 of the POPI Act. No direct marketing may be conducted electronically unless the data subject has consented thereto. The marketer may approach the subject only once to obtain consent.
Anyone who uses electronic direct marketing must disclose the identity of the advertiser and provide the consumer with an opt-out route. The rules of personal information collection apply here as well – any person whose information is sought must be offered the opportunity to consent thereto.
If the data subject feels that his/her rights in terms of the POPI Act have been infringed upon, he/she may approach the Information Regulator (IR), who facilitates the implementation of the act.

What if there's a data breach?

If a data breach occurs or personal information is compromised in some way, the responsible organisation is required to inform the affected parties, including the Information Regulator, immediately.

The nature of the breach and steps being taken to rectify the situation must be explained, if possible. A subsequent investigation will determine if all reasonable measures were taken by the business to protect the information

What are the legal requirements for consent?

Consent is closely related to two other important issues – disclosure and signature. The three are often so closely related that you can’t actually deal with one without the others. Often consent is obtained electronically and in this context electronic consents, disclosures and signatures become a very important issue.

The legal definition of consent;
POPI defines consent to be “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information“.

This is the measure or test that you must meet if you need to get consent. The words specific and informed are of particular relevance. They are however open to some interpretation.

Some key points regarding consent and POPI:

  •  A person must have a choice whether to consent or not (it must be voluntary).
  • It must relate to a specific purpose (for example, to contact me about insurance products).
  • You must specify your purpose.
  • You must notify the data subject of various things as set out in section 18 of the POPI Act.
  • You must inform the person sufficiently to enable them to make a decision.
  • There must be an expression of will. For example, tick a tick box, or click on a link. This is open to interpretation. Can a box be ticked by default for example. Is deemed or inferred consent OK?
  • Another important point is that POPI does not require you to get the consent of the data subject in all instances. There are many other justifications in section 11 of the POPI Act that you can rely on to process lawfully. It can be very useful, but it is not the only justification

The Information Officer

The Information Officer of an organisation is an important person when it comes to information. By default, every single organisation in South Africa has one. The law (more particularly the Promotion of Access to Information Act or PAIA) automatically designates a person in each organisation as an officer. Not the Chief Information Officer, but an Information Officer. They perform very different roles.

At a point in time, it was referred to as the Information Protection Officer, but the correct term is Information Officer. Some people also refer to the Privacy Officer, but in our view, this is the incorrect terminology. The role of a Privacy Officer is something else and may encompass the Information Officer. But the two should not be confused. The officer performs the same role as a Data Protection Officer under the GDPR.

What are their responsibilities?

Under PAIA

The Information Officer is an important person because they are responsible for ensuring that the organisation complies with PAIA. An information officer of a responsible party (or body) must:

  • encourage and ensure compliance with PAIA in accordance with the body’s definition of compliance,
  • create, maintain and update a PAIA manual for the body,
  • evaluate and approve requests for access to information received in terms of the grounds set out in PAIA, within the time constraint or any extended period

Under POPIA 

They are also responsible for ensuring that the organisation complies with the POPI Act. They are a key person in any project or programme. An information officer of a responsible party (or body) must:

  • encourage compliance with conditions for the lawful processing of personal information,
  • deal with requests made pursuant to POPIA (presumably by the Information Regulator or data subjects),
  • work with the Regulator in relation to investigations conducted related to prior authorisations (pursuant to Chapter 6 of the POPI Act in relation to the body),
  • otherwise, ensure compliance by the body with the provisions of POPIA,
  • develop, implement and monitor a compliance framework,
  • ensure that a personal information impact assessment is done
  • ensure that adequate measures and standards exist,
  • develop, monitor, maintain and make available a PAIA manual,
  • develop internal measures and adequate systems to process requests for access to information,
  • ensure that internal awareness sessions are conducted, and
  • as may be prescribed (presumably by the Minister or the Information Regulator).
    These responsibilities are set out in section 55 of POPIA and in the POPIA Regulations.

POPI PACK 'N STACK Toolkit

The PACK ‘N STACK Toolkit has been designed for small to large-sized businesses and people with no prior experience in the POPI Act.

The Toolkit has been designed by our specialists to make sure you and your client’s personal data is secure and aids against cyber attacks.   

The Packages can be customised according to your requirements and specifications.

It includes the following:

  • Website Security and Cookie Notices
  • SSL Certificates
  • Office 365 Email and Office applications
  • Solarwinds Email Filtering and Archiving
  • Mimecast Email Security
  • File Server and Auditing
  • Sophos EndPoint Protection
  • Server Protection
  • Firewalls
  • Redstor Back-up and Recovery
  • Keeper Security Password Manager
  • SPOTICA Information Security Management Software
  • SENDMARC DMarc Email Protection

Are you Compliant?

Let us assist you with a free audit of your environment – just fill in your details and we’ll contact you