Are you ready POPI (Protection of Personal Information Act)?
Written by Karus Prinsloo
On 7 September 2016, parliament appointed the members of the Information Regulator established by POPI. This can be seen as one of the predicators to the Act’s effective date being published.
As soon as the Act’s effective date has been published, organisations will have a grace period of a year to comply with POPI’s requirements.
POPI affects all areas in organisations where personal information is processed and places specific obligations and duties on organisations – it is recommended that you ascertain what the impact of the Act will be in your organisation and what the responsibilities are to ensure compliance with the Act.
What is POPI?
POPI gives effect to the constitutional right to privacy, enshrined in the Bill of Rights in South Africa’s Constitution. The right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.
The Act is based on international best practice and is a reflection of the best features of international privacy legislation. It follows King III’s principles and accommodates international standards.
Since POPI has been enacted, certain sections of the Act came into operation on 11 April 2014. The final effective date of the Act is still unknown and the recent appointment of the Information Regulator is a good indicator that the Act will become operational in the foreseeable future.
Inlexso Legal will continue to keep our clients up to date with developments in this regard. Organisations will have a year grace period to comply with the Act’s requirements, following the effective date of the Act.
Protecting personal information is not only a statutory duty but also represents sound business practices.
POPI aims to:
- Promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information;
- Provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000 (“PAIA”);
- Provide for the issuing of codes of conduct;
- Provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
- Regulate the flow of personal information across the borders of the Republic;
- and to provide for matters connected therewith.
Conditions for the lawful processing of personal information:
POPI requires that eight conditions be complied with for the lawful processing of a data subject’s personal information, namely: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation.
Applicability of POPI
POPI affects existing business processes and systems substantially! It will, for instance, have a profound impact on the following business processes and information systems:
- Interaction with customers: collection and processing of customer information;
- Human resources: collection and processing of employee information;
- Information management: the classification, retention and security of information;
- Marketing: customer relationship management, system restrictions on direct marketing, keeping record of which customers not to contact in respect of new product offerings;
- International transfer of information: restrictions on cross-border transfers of information.
Practical implications of POPI for organisations include the following:
- Strengthening of the role of the “Information Officer”, introduced by the Promotion of Access to Information Act (PAIA). One of the mechanisms to ensure compliance with the legislation is that this person has personal liability in respect of certain issues of non-compliance.
- Identifying responsible parties.
- Ascertaining that organisation’s business processes are aligned with POPI’s requirements.
- Conducting a risk assessment of organisations’ security safeguards and remedying weaknesses.
- Amending the PAIA manual in accordance with POPI’s requirements (i.e. description of business processes and security measures).
- Ensuring that any international transfers of personal information, comply with POPI’s requirements.
- Ensuring that all written agreements incorporate the minimum levels of information security in order to safeguard the processing of personal information.
Consequences of non-compliance:
Non-compliance poses a huge reputational risk for organisations.
POPI has dire consequences for any party being convicted of an offence in terms of the Act. A maximum period of imprisonment of 10 years, or an undisclosed maximum fine (each fine to be determined by the relevant court on a case-by-case basis) can be levied. Furthermore, the Regulator may institute administrative fines up to an amount of R10 million.
Should there be interference with a data subject’s protection of personal information, the aggrieved party may lay a complaint in accordance with the Act with the Regulator. A negotiated settlement is one of the outcomes of the complaints procedure.
POPI also provides for civil remedies, where the court may award an amount that in its discretion is just and equitable. This amount includes:
- payment for damages as compensation for losses suffered by a data subject as a result of a breach of the provisions of the Act;
- aggravated damages, in an amount determined in the court’s discretion;
- interest; and
- costs on a scale as determined by the court.
Are you ready to comply with POPI’s requirements?
Contact Inlexso to assist you with ensuring compliance with POPI. Our POPI services include assisting organisations with the development of roadmaps to ensure compliance, consulting services, policy drafting and providing training.
Also contact us in respect of any other legal or compliance matters. Please refer to our Legal Compliance Services section on the website for more information about our value-adding compliance services offerings and contact Karus Prinsloo on 087 405 1827 or firstname.lastname@example.org for more information in this regard.