Are you prepared for one of the most disruptive challenges ever to your business?
It’s not business as usual anymore. The Protection of Personal Information Act (POPIA), presents one of the most disruptive compliance changes in South Africa’s business history. The POPI Act (POPIA) will change the way business deals with information in an information-driven society and will challenge businesses in ways never before imagined.
The Act was first mooted in 2005. After much debate, it was finally signed off by the President in November 2013. The remaining provisions of the POPI Act, which relates to the processing of personal information will become effective on the 31st of June 2021. Individuals, legal entities, and private bodies will have a grace period of 12 months before it will be enforced. This will give them time to prepare and to ensure that their information capture, storage, and usage systems are aligned with the requirements of the Act and secure POPI compliance.
The core purpose of the POPI Act is to ensure that individuals and juristic persons know exactly what is being done with their personal information. The rights flow from the universal right to privacy, which is also enshrined in our Constitution. The POPI Act creates a framework of principles, duties, rights, rules, and enforcement mechanisms. In simple terms, it is a lengthy code of conduct that covers – in great detail – all aspects of information management. It is designed to deal with the following key questions relating to the protection of personal information:
- What is done with your information?
- How is your information processed or shared?
- Who receives your information or with whom is it shared?
- What type of information is processed or shared?
- Why is your information processed or shared?
“Personal information” includes information about clients or suppliers – such as their contact details and correspondence. Other examples include HR and payroll data, CVs, applications for employment, CCTV records, performance reviews, demographic information including gender, personal history, telephone numbers, physical address, financial information, and communication history, such as internal e-mails.
Special Personal Information
The POPI Act enforces the regulation of the processing of special personal information and prohibits the unlawful access and use of this information. This covers information that can be used to identify a natural person. This includes religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, medical history or sex life, criminal behaviour, and biometric information.
Processing Personal Information
“Processing” personal information includes collecting, collating, storage, modification, merging, updating, dissemination, and usage of data and information. The means of doing so include access to unsolicited electronic communication, which includes any text, voice, sound or image message sent over an electronic communications network as well as private correspondence.
The POPI Act will test your business from the granular to the macro issues with the aim of ensuring the lawful processing of personal information and data confidentiality.
Compliance will have an impact on the processes, technology, and manner in which employees handle and process personal information. The Act allows for a one-year implementation timeframe and non-compliance after this timeframe will result in penalties and possible imprisonment.
So, has your business appointed an Information Officer? Have they started working on the following:
- An Awareness Process for staff members;
- A Promotion of Access to Information Act (PAIA) Manual Update;
- Internal Systems to Process Requests;
- Security Measures and Standards; and
- A Compliance Framework and the implementation of organisational measure
Eight Conditions for Lawful Processing of Personal Data
The Act prescribes the following eight conditions which responsible parties, including individuals and entities, must comply with before any personal information that they process will be lawful:
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Security safeguards
- Data subject participation
Special provisions are introduced to regulate direct marketing practices. The primary issue is to ensure that the data subject gives fully informed consent to the direct marketing operator before his, her or their personal information may be used to market or promote goods and services or to solicit donations of any kind. The operator needs to secure the data subject’s consent only once. However, it will need to update the consent if it intends to use the information for some other reason or in a different form to which the data subject did not agree originally.
SEIFSA’s experts will make your compliance with the POPI Act challenge easier to handle.
The Act will align the regulation of personal information in South Africa with international trends and standards. It seeks to strike a balance between the right to individual privacy and the public interest while maintaining levels of integrity. This is a difficult balancing act that will no doubt lead to controversies arising in some spheres of life, including in business. Individuals and legal entities will have a reasonable amount of time to prepare themselves for the implementation of the Act. The purposes of the Act are laudable, and it would be advisable to start taking steps to comply with it – both in its letter and its spirit.
Learn how to comply with the POPI Act (POPIA)
This workshop will help participants understand the impact of the POPI Act on their businesses while providing them with the knowledge needed to effectively comply with it.