Are you prepared for the POPI Act 2020?
It’s not business as usual anymore in 2020. The Protection of Personal Information (POPI) Act presents one of the most disruptive compliance changes in South Africa’s business history. The POPI Act will change the way business deals with information in an information-driven society. The POPI Act will challenge businesses in ways never before imagined.
The Act was first mooted in 2005. After much debate, it was finally signed off by the President in November 2013. When the Act finally does take effect this year, individual and legal entities will have a grace period of 12 months before it will be enforced. This will give them time to prepare and to ensure that their information capture, storage and usage systems are aligned with the requirements of the Act.
The core purpose of the Act is to ensure that individuals and juristic persons know exactly what is being done with their personal information. The rights flow from the universal right to privacy, which is also enshrined in our Constitution. The Act creates a framework of principles, duties, rights, rules and enforcement mechanisms. It is lengthy and covers – in great detail – all aspects of information management. It is designed to deal with the following key questions relating to the protection of personal information:
- What is done with your information?
- How is your information processed or shared?
- Who receives your information or with whom is it shared?
- What type of information is processed or shared?
- Why is your information processed or shared?
“Personal information” includes information about clients or suppliers – such as their contact details and correspondence. Other examples include HR and payroll data, CVs, applications for employment, CCTV records, performance reviews, demographic information, personal history and communication history, such as internal e-mails.
Special Personal Information
The Act prohibits the processing of “special personal information”. This covers information about a person’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, criminal behaviour and biometric information.
Processing Personal Information
“Processing” personal information includes collecting, collating, storage, modification, merging, updating, dissemination and usage of data and information. The means of doing so include electronic communication, which means any text, voice, sound or image message sent over an electronic communications network.
The POPI Act will test your business from the granular to the macro issues.
Compliance will have an impact on the processes, technology and manner in which employees handle and process personal information. The Act provides for a one-year implementation timeframe.
The Chairperson of the Information Regulator wants to have POPI fully active early this year (2018). So, has your business appointed an Information Officer? Have they started working on the following:
- An Awareness Process for staff members;
- A Promotion of Access to Information Act (PAIA) Manual Update;
- Internal Systems to Process Requests;
- Measures and Standards; and
- A Compliance Framework?
8 Conditions for Lawful Processing of Personal Data
The Act prescribes the following eight conditions which individuals and entities must comply with before any personal information that they process will be lawful:
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Security safeguards
- Data subject participation
Special provisions are introduced to regulate direct marketing practices. The primary issue is to ensure that the data subject gives fully informed consent to the direct marketing operator before his, her or its personal information may be used to market or promote goods and services or to solicit donations of any kind. The operator needs to secure the data subject’s consent only once. However, it will need to update the consent if it intends to use the information for some other reason or in a different form to which the data subject did not agree originally.
SEIFSA’s expert will make your compliance with the POPI Act challenge easier to handle.
The Act will align the regulation of personal information in South Africa with international trends and standards. It seeks to strike a balance between the right to individual privacy and the public interest. This is a difficult balancing act which will no doubt lead to controversies arising in some spheres of life, including in business. Individuals and legal entities will have a reasonable time to prepare themselves for the implementation of the Act. The purposes of the Act are laudable, and it would be advisable to start taking steps to comply with it – both in its letter and its spirit.