The Popi Act
South African Popi Act
POPI (Protection of Personal Information) is now a reality for all South African organisations. Failing to comply with this new stringent Privacy law will result in severe jail sentences and multi million Rand fines.
Is your business website PoPi compliant yet?
Our short POPI Act Summary
The Protection of Personal Information Act (or POPI Act) is South Africa’s equivalent of the EU GDPR. It sets some conditions for responsible parties (called controllers in other jurisdictions) to lawfully process the personal information of data subjects (both natural and juristic persons). The POPI Act does not stop you from processing and does not always require you to get consent from data subjects to process their personal information. Whoever decides why and how to process personal information is responsible for complying with the conditions. There are eight general conditions and three extra conditions. The responsible party is also responsible for a failure by their operators (those who process for them) to meet the conditions.
The POPI Act is important because it protects data subjects from harm, like theft and discrimination. The risks of non-compliance include reputational damage, fines and imprisonment, and paying out damages claims to data subjects. The biggest risk, after reputational damage, is a fine for failing to protect account numbers.
The biggest impact is on organisations that process lots of personal information, especially special personal information, children’s information, and account numbers. The most affected industries are financial services, healthcare, and marketing.
Some of the obligations under PoPi are to:
Obtain consent to collect and process personal information online;
Specify how you will be using and protecting that information;
Only collect information that you need for a specific purpose;
Apply reasonable security measures to protect it;
Ensure it is relevant and up to date;
Only hold as much as you need, and only for as long as you need it;
Automatically audit access to and usage of that information;
Allow the subject of the information to see what information you have and prove how you have used it on request.
It is much easier to start with a new website and build your PoPi compliance in from the beginning before you begin to collect information from your visitors. It is also easier to use online forms to manage information than attempting to comply with manual paper information collection points in your business.
Attempting to retrofit your website and your databases after the fact is a lot more difficult! Not impossible, as it can be done, but this can become very time consuming and expensive process.
DiG has the knowledge and the expertise to build PoPi compliant websites and online information management systems for your business as we have been aware of this legislation and have been actively seeking to develop solutions for Privacy Protection from before PoPi was enacted back in 2014.
What is the POPI Act timeline?
POPI commences on 1 July 2020. Giving you a 12 month grace period to get your organisation POPI compliant by the POPIA deadline of 1 July 2021. POPIA will be regulated by a new Information Regulator while within your organisation, your Information Officer is the key person to ensure compliance.
POPI Act Summary for Executives
If you’re looking for a POPI Act summary to give your board or governing body, we can help you to prepare a short handout and even present the executive briefing.
Need assistance with POPI compliance?
Empower yourself with practical knowledge by joining a Data Protection Programme, attending a POPI Act workshop, or a POPIA webinar.
The POPI commencement date is 1 July 2020 which makes the deadline for organisations to comply 1 July 2021.