Does the POPI Act apply to my business?

By Mich Martins, CEO at MWare Automated Business Solutions

Share this with your network

The POPI Act protects natural persons and companies, and therefore, on this basis alone, it applies to you! It is as relevant for a big business as it is for a small or medium company.

If you answer yes to any of these questions, all instances of processing will need to comply with the POPI Act!

  • Do you have, keep, store and or retain a vendor list?
  • Do you have a website where people may contact you?
  • Do you send promotional material or newsletters to clients?
  • Do you simply have a spreadsheet which details past transactions with your clients?
  • Do you have employees whose personal information you keep on record?

The POPI Act governs the processing and protection of personal information with the essential aim of upholding the right of privacy of persons as provided for in South Africa’s constitution.

It places specific obligations on persons who request, collect, store, destroy or otherwise use personal information relating to another person in order to prevent and protect such person from suffering potential damage or harm. Furthermore, remedies are catered for in the event of breach of a person’s personal information, or if any of the conditions for lawful processing are imposed by the POPI Act.

It was signed into law in 2013. It has commenced from 1 July 2020 with a grace period of 12 months, expiring on 30 June 2021, when your organisation’s policy needs to be implemented. The Information Regulator is already receiving complaints, so you do not want your organisation to be on the radar to be reported, investigated and penalised.

Is your business ready to comply with the POPI Act?

For the more serious offences, the maximum penalties are a R10 million fine or imprisonment for a period not exceeding 10 years, or both a fine and imprisonment.

In addition to the above:

  • Potential reputational damage due to complaints being lodged.
  • Aggrieved party can initiate court action for appropriate relief in the event of non-compliance.

What is personal information?

Any type of information that relates to a person or that can identify a person with regards to gender, race, name, marital status, age, medical history, employment history, e-mail address, opinions or views, nationality and ethnicity, health, financial history, ID number, contact number, physical address, language, confidential correspondence sent by that person, education, sexual orientation, criminal history.

What does processing of personal information refer to?

Any manual or automatic activity in terms of which personal information is received, collected, recorded, updated, retrieved, organised, stored, used, modified, transferred, destroyed or shared.

Who are the key role players identified by the POPI Act?

  • Data subject
    • A human being or company to whom personal information relates.
  • Responsible person
    • A person who determines the means and purposes of processing personal information of a data subject.
  • Operator
    • A person or third party contracted by the responsible party to assist with the processing of personal information, for example a contracted HR service provider, or a cloud hosting partner tasked with hosting servers or data in the cloud.

The governance of the relationship between the responsible party and the operator is vital from a POPI Act perspective.

The responsible party remains accountable to the Information Regulator and the Data Subject in the event of non-compliance or breach of personal information.

Therefore, any contract, for instance a service level agreement, between the responsible party and the operator should clearly cater for the processing duties of the operator and provide for the relevant indemnity in the event that either party exceeds their authority or if there is a breach, define what the incident reporting strategy is going to be. Should there be a problem, the responsible party will still be accountable, but it safeguards itself by having a right of recourse against the operator in terms of the contract concluded.

Every organisation should have an information officer. If nobody is officially appointed to the role, the default position in terms of the POPI Act is that the organisation’s CEO is the Information Officer. The Information Officer must be registered with the Information Regulator.

Duties of the information officer:

  • Encourage and ensure organisation’s compliance with the POPI Act.
  • Deal with requests made in terms of the POPI Act and PAIA.
  • Work with the Information Regulator in relation to investigations involving the organisation.
  • Develop, implement, monitor and maintain a compliance framework for the organisation.
  • Do an impact assessment to ensure that adequate measures and standards exist for the lawful processing of personal information.
  • Develop and maintain a PAIA manual.
  • Create internal awareness by having regular training and awareness sessions and workshops.

The eight conditions for the lawful processing of personal information:

  • Accountability
    • The responsible party takes full responsibility for how a data subject’s personal information is processed.
  • Processing limitation
    • The processing of personal information is limited to the consent of the data subject or allowed by law.
  • Purposes specification
    • Due to the responsible party being limited to the confines of the consent granted, the purpose for why personal information is required must be identified.
  • Further processing limitation
    • There are restrictions on the further distribution of personal information to anyone else or to use the personal information for any other purpose.
  • Information quality
    • The POPI Act places an obligation on a business to ensure that the personal information remains correct and up-to-date.
  • Openness
    • The responsible party must inform the data subject in the event of a breach of their personal information, what personal information you have on them, as well as how and where it is stored.
  • Security safeguards
    • Physical and digital security measures to protect personal information must be put in place.
  • Data subject participation
    • Respecting the rights of every data subject to have access to and control over their personal information.

There are many moving parts in the POPI Act compliance journey. An oversight in one area can impact every other area of the business and put your data at risk.

“Do not delay starting now, as generally, a compliance project can take between six to nine months,” advises Mich Martins of MWare Automated Business Solutions. “If you can prove to the regulator after 1 July 2021 that you have started and are in the process of working towards compliance with systems and advisory processes being implemented. you should be offered clemency should you experience a data breach of sorts.”

Share this with your network