POPIA – why you should care
The Protection of Personal Information Act (POPIA) was enacted on 1 July 2020, but only became fully enforceable on 1 July 2021. Businesses enjoyed a 12-month grace period to comply with all the requirements. Since 1 July 2021 significant penalties for non-compliance have been in place. However, we are hearing daily from clients and friends about breaches to POPIA. If you are a business owner, even if you own a small business—especially if you own a small business—you really can’t afford to ignore POPIA. Small businesses are at risk because, even if they don’t have large customer databases or undertake sophisticated database marketing campaigns, they are also less likely to have legal or compliance departments whose job it is to keep them out of court!
Undoubtedly many POPIA breaches have happened unwittingly or accidentally, but that excuse won’t hold up in court, and POPIA carries with it personal liability for business owners. It’s not just your business’s reputation that could be tarnished; you could wind up in jail! This article outlines why POPIA is necessary, who it applies to, and how to ensure your business complies with the Act.
Why does our personal information need protecting?
Our world has become increasingly digitised over the past two decades. Where once our personal information was collected mainly by financial services institutions, now just about every business handles data. Data is saved, stored, and sold in unprecedented volumes. Many countries have passed legislation to protect citizens’ privacy, and these laws have become more robust in recent years.
One of the most stringent pieces of legislation is the European Union’s General Data Protection Act (GDPR), published in 2013. South Africa’s POPIA has been in development since 2005, but its enactment was delayed partly to take account of some of the innovations in the GDPR.
Who does it apply to?
POPIA regulates all entities that process personal information. This includes information about employees, customers, and suppliers; and it includes anyone who outsources processing activities, shares data offshore, or employs direct marketing techniques. POPIA applies to personal information processed in South Africa, by an entity domiciled in South Africa or domiciled elsewhere but using some means in South Africa (e.g. call centres) to process the data.
What is personal information?
“Personal information” is not just “sensitive” information, such as financial details or data about race, age, etc. POPIA defines personal information as any information relating to an identifiable, living natural person or an identifiable company or other similar legal entity. Personal information can be anything from private correspondence to age, gender, sex and race, ID numbers, phone numbers, location information, online identifiers, and personal opinions and preferences. The Act gives broad protection to our privacy.
What do you need to do as a business owner?
If you run a business or manage any sort of entity—even a voluntary organisation—that collects personal information, you are subject to the conditions of POPIA. The majority of POPIA obligations apply to the “responsible party”—the principal processor of personal data, who determines the purpose and means of processing. If you are the owner or senior manager of a business, you are a responsible party. You probably have at least one data processor, even if that is not their dedicated job. Anyone who handles data is an “operator”. Operators also have responsibilities under POPIA, but those duties are straightforward.
- Comply with the contract they hold with a responsible party
- Notify the responsible party immediately of any suspected or actual data breach
The responsible party has a more onerous set of eight conditions and measures to comply with.
The conditions are:
- Accountability: All data processing must happen in compliance with POPIA. This means you must develop a data protection policy and designate an internal information officer responsible for compliance.
- Processing limitation: Personal data must be processed lawfully and in such a way that the data subject’s privacy is not infringed. You must develop procedures to ensure data processing takes place in a “reasonable manner”.
- Purpose specification: You may only collect personal information for a lawful, specific and defined purpose related to your business activity (e.g. marketing). You must tell data subjects why you are collecting their data, except in exceptional circumstances, such as compliance with a legal obligation.
- Further processing limitation: Once you have collected and processed personal information, you may only process that data further under limited circumstances, which must be deemed “compatible” with the previously defined purpose.
- Information quality: You must ensure that any personal information you hold is complete, accurate, not misleading and updated when necessary.
- Openness: You are required to compile a manual which must contain information stipulated by the South African Promotion of Access to Information Act, 2000. When collecting personal information, you need to inform the data subject of: (1) the information being collected and its source; (2) the name and address of your business; (3) the purpose for the collection of information; (4) whether the data subject is required to provide the requested information, or may do so voluntarily; (5) the consequences of failing to provide the information; (6) the legal basis for the collection of the information; (7) whether you intend to transfer the information to a third country and the level of protection afforded to the transferred information; and (8) any further information necessary for the processing to be reasonable under the circumstances.
- Security safeguards: You must secure the integrity and confidentiality of any personal information you hold by taking appropriate and reasonable measures to prevent loss, damage, unauthorised destruction of and unlawful access to the data.
- Data subject participation:
- The data subject has the right to know if you hold personal information about them. They are also entitled to request a record of the personal information you hold, and any information about third parties who may have had access to the personal information.
- The data subject can ask you to:
- correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained
- delete or destroy personal information that you are no longer authorised to retain
Let SD Law help
The information on this website is provided to assist the reader with a general understanding of the law. While we believe the information to be factually accurate, and have taken care in our preparation of these pages, these articles cannot and do not take individual circumstances into account and are not a substitute for personal legal advice. If you have a legal matter that concerns you, please consult a qualified attorney. Simon Dippenaar & Associates takes no responsibility for any action you may take as a result of reading the information contained herein (or the consequences thereof), in the absence of professional legal advice.