What is the POPI Act?
In order to promote the protection of personal information processed by public and private bodies, the Protection of Personal Information Act (POPIA or POPI Act) has been implemented by the South African government. The President has proclaimed the POPI Act commencement date to be 1 July 2020, providing public and private bodies a grace period until 30 June 2021 to become compliant. The Act regulates who may process personal information, for what purposes, and under which conditions, whilst providing protection rights to those whose personal information are processed.
What happens if you don’t comply?
In the event that a data breach occurs, i.e. personal information is leaked, intentionally or unintentionally, or personal information is accessed via unauthorized means, the consequences could be severe. A Data Subject has the right to lodge a complaint with an Information Regulator and to institute civil proceedings.
An Information Regulator may assess the Responsible Party for compliance, and if deemed worthy may ban the party from processing personal information, issue fines of up to R10 million, and even imprisonment. This is of course in addition to any reputational damage, liability damages and costs incurred to control the damage.
What constitutes personal information?
Personal information is extremely widely stated and includes any information that can identify a person. This includes, but is not limited to: contact details such as an email address, cellphone number, address; as well as demographics, such as age, sex, race, birth date etc.
Therefore, it is evident that nearly any and every business or entity in South Africa will need to be compliant with the Act, regardless of the number of staff or nature of business.
Who are the role players?
The POPI Act defines 4 parties:
- The Responsible Party – the organisation that decides what to do with the personal information (for example, a company that sells a product or service and obtains personal information from a customer). This organisation needs to be fully compliant with the POPI Act.
- The Information Officer – this person is responsible for overseeing and implementing a data protection strategy for the organization in order to meet POPI Act requirements. Usually in the case of a private body, the head of the body will be the Information Officer.
- The Operator – this is anyone who processes the personal information on behalf of the responsible party through a contract or mandate, while not directly under the Party’s authority. This includes cloud storage solutions, internet service providers, etc. The Operator needs to secure the personal information and follow the instructions of the responsible party. It is therefore imperative that the Responsible Party ensures any Operators it partners with are also fully POPIA compliant.
- The Data Subject – the person to whom the personal information relates to.
How to become compliant
First and foremost, an Information Officer needs to be appointed and submitted to the Information Regulator. It is the responsibility of an Information Officer to oversee and implement a data protection strategy. As part of this strategy, the Information Officer needs to ensure that:
- A compliance framework is developed, implemented, monitored and maintained;
- A personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
- A manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);
- Internal measures are developed together with adequate systems to process requests for information or access thereto; and
- Internal staff awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Information Regulator.
In conclusion, the task of implementing a data protection strategy can be overwhelming, especially for small business owners. It is therefore highly recommended to partner with a law firm to assist with determining which policies and procedures to implement to sufficiently protect personal information in your context, both for the sake of the Data Subject and the Responsible Party.