The POPI Act Countdown is On! Everything you need to know about POPIA compliance
What is POPI?
POPI is South Africa’s data privacy law and it stands for the Protection of Personal Information Act, 2013. It is sometimes also referred to as POPIA. It governs when and how organisations collect, use, store, delete and otherwise handle personal information.
What is personal information under POPIA?
Generally speaking, personal information is any information that can be used to personally identify a natural or juristic (i.e. organisations) person. This information about a person includes, but is not limited to:
Who does POPI apply to?
POPI applies to all local and foreign organisations processing (i.e. collecting, using or otherwise handling) personal information in South Africa.
What does this announcement mean for your organisation?
You will have up until 1 July 2021 to become compliant. This means that although there will be no sanctions for non-compliance, you must work towards compliance. For most organisations, this is no easy feat as it requires an analysis of all personal information within your organisation, where you get it from and what you do with it.
It is recommended that organisations that have not yet started becoming compliant, do so as soon as possible or they could face fines, penalties and other adverse consequences in future. It is also a good time to commence a data privacy awareness programme within your organisation.
What do the final POPIA regulations deal with?
- How a data subject can object to the processing of their personal information.
- How a data subject can request the correction or deletion of information.
- The responsibilities of an information officer. (Important!)
- How to apply for the regulator to issue a code of conduct.
- How to request marketing consent. (Important!)
- How to submit a complaint to the regulator.
- How the regulator will act as a conciliator in investigations.
- What the regulator must do before it investigates you.
- How the regulator will try to settle complaints.
- How the regulator will conduct assessments.
- How the regulator will notify people during investigations.
What is POPI compliance?
You will need to establish measures that ensure that you only collect, use, store, delete and otherwise handle personal information in permitted ways and that it is appropriately protected from unauthorised access or loss.
The measures that each organisation employs will be different, but in practice, it will mean more policies and procedures for your organisation and you will need to inculcate a culture of data protection in your organisation.
Does POPIA provide any benefit to businesses?
POPIA provides the opportunity to analyse and have more control over the data handled within your organisation and to better understand its purposes. As data is an increasingly valuable resource, better data management can increase the efficiency and effectiveness of any business.
What does POPI mean for consumers?
Consumers will benefit from POPI’s requirements in that their personal information must be protected and it can only be collected or handled where there is a lawful justification for doing so.
POPI gives consumers specific rights in respect of organisations handling their personal information and it gives consumers greater control over their personal information. Consumers are informed about what personal information is collected, by who and why so that consumers are able to make informed decisions.
Who regulates POPIA?
POPI is regulated by the Information Regulator.
What are the fines and penalties for non-compliance?
The fines and penalties vary depending on the offence, with a maximum of 10 years in prison or a R10 million fine.
Does POPI add anything to my constitutional right to privacy?
Every person has a constitutional right to privacy, which has many aspects (including privacy in the home, private communications and private information about a person).
POPI gives practical effect to that right insofar as it relates to personal information handled by organisations. It provides a direct mechanism through which that aspect of the right can be enforced.
Is POPI different from the GDPR?
POPI is similar to the EU’s data privacy law, called the General Data Protection Regulation but it differs in some respects. The main difference is that POPI regulates corporate personal information, where appropriate, whereas the GDPR does not.
Another interesting difference between GDPR and POPI Act is that the GDPR places direct obligations on operators (called processors) whereas the POPI Act simply says there should be a mandate in writing between the responsible party and an operator. This places immense importance on the agreements that a responsible party has with its operators.
Who are the role players in POPIA?
What are their responsibilities?
Under POPIA and the regulations: The Information Regulator is responsible for ensuring that their organisation complies with the POPI Act. They are a key person in any project or programme.
A Responsibly Party is a public or private body or any other person which alone or in conjunction with others determines the purpose of and means for processing personal information.
An information regulator and responsible party (or body) must:
- encourage compliance with conditions for the lawful processing of personal information,
- deal with requests made pursuant to POPIA (presumably by the Information Regulator or Data Subjects),
- work with the Regulator in relation to investigations conducted related to prior authorisations (pursuant to Chapter 6 in relation to the body),
- otherwise, ensure compliance by the body with the provisions of POPIA,
- develop, implement and monitor a compliance framework,
- ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist,
- develop, monitor, maintain and make available a PAIA manual,
- develop internal measures and adequate systems to process requests for access to information,
- ensure that internal awareness sessions are conducted, and as may be prescribed.
These responsibilities are set out in section 55 of POPIA.
The third-party Operator is a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
Regardless of the fact that an operator might also be a responsible party in its own right; when instructed or contracted to deliver a processing service on behalf of the responsible party for a specific purpose they act as an operator.
For more information or compliance solutions, feel free to contact us