Written by Karus Prinsloo
The first few sections of POPI came into effect in April 2014. As soon as the Act’s effective date has been published, organisations will have a grace period of a year to comply with POPI’s requirements.
POPI affects all areas in organisations where personal information is processed and places specific obligations and duties on organisations – it is recommended that you ascertain what the impact of the Act will be on your organisation and what the responsibilities are to ensure compliance with the Act.
What is POPI?
POPI gives effect to the constitutional right to privacy, enshrined in the Bill of Rights in South Africa’s Constitution. The right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.
The Act is based on international best practice and is a reflection of the best features of international privacy legislation. It follows King III’s principles and accommodates international standards.
Since POPI has been enacted, certain sections of the Act came into operation on 11 April 2014. The final effective date of the Act is still unknown, but nominations for the Information Regulator closed in August 2015 which is a good indicator that the Act will become operational in the foreseeable future.
Inlexso Legal will continue to keep our clients up to date with developments in this regard. Organisations will have a year grace period to comply with the Act’s requirements, following the effective date of the Act.
Protecting personal information is not only a statutory duty but also represents sound business practices.
POPI aims to:
• Promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information;
• Provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000 (“PAIA”);
• Provide for the issuing of codes of conduct;
• Provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
• Regulate the flow of personal information across the borders of the Republic;
• and to provide for matters connected therewith.
Conditions for the lawful processing of personal information:
POPI requires that eight conditions be complied with for the lawful processing of a data subject’s personal information, namely: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and data subject participation.
Applicability of POPI
POPI affects existing business processes and systems substantially! It will for instance have a profound impact on the following business processes and information systems:
• Interaction with customers: collection and processing of customer information;
• Human resources: collection and processing of employee information;
• Information management: the classification, retention and security of information;
• Marketing: customer relationship management, system restrictions on direct marketing, keeping record of which customers not to contact in respect of new product offerings;
• International transfer of information: restrictions on cross-border transfers of information.
Practical implications of POPI for organisations, include the following:
• Strengthening of the role of the “Information Officer”, introduced by the Promotion of Access to Information Act (PAIA). One of the mechanisms to ensure compliance with the legislation is that this person has personal liability in respect of certain issues of non-compliance.
• Identifying responsible parties.
• Ascertaining that organisation’s business processes are aligned with POPI’s requirements.
• Conducting a risk assessment of organisations’ security safeguards and remedying weaknesses.
• Amending the PAIA manual in accordance with POPI’s requirements (i.e. description of business processes and security measures).
• Ensuring that any international transfers of personal information, comply with POPI’s requirements.
• Ensuring that all written agreements incorporate the minimum levels of information security in order to safeguard the processing of personal information.
Consequences of non-compliance:
Non-compliance poses a huge reputational risk for organisations.
POPI has dire consequences for any party being convicted of an offence in terms of the Act. A maximum period of imprisonment of 10 years, or an undisclosed maximum fine (each fine to be determined by the relevant court on a case-by-case basis) can be levied. Furthermore, the Regulator may institute administrative fines up to an amount of R10 million.
Should there be interference with a data subject’s protection of personal information, the aggrieved party may lay a complaint in accordance with the Act with the Regulator. A negotiated settlement is one of the outcomes of the complaints procedure.
POPI also provides for civil remedies, where the court may award an amount that in its discretion is just and equitable. This amount includes:
• payment for damages as compensation for losses suffered by a data subject as a result of a breach of the provisions of the Act;
• aggravated damages, in an amount determined in the court’s discretion;
• interest; and
• costs on a scale as determined by the court.
Are you ready to comply with POPI’s requirements?
Contact Inlexso to assist you with ensuring compliance with POPI. Our POPI services include assisting organisations with the development of roadmaps to ensure compliance, consulting services and providing training.
Also contact us in respect of any other legal or compliance matters. Please refer to http://eohlegalservices.co.za/services/legal-compliance-services/ for more information about our value-adding compliance services offerings and contact Karus Prinsloo on 087 405 1827 or firstname.lastname@example.org for more information in this regard.
POPI Training – 22 October @ 8:30 for 9:00 – 13:00
Detailed session about the Act, its impact on business, opportunities and how to mitigate the risk brought about by the Act
Date: 22 October 2015
8:30 for 9:00 – 13:00
Price: R1 500.00 (Excl VAT) per delegate
Venue: Inlexso Training Centre
Route 21 Corporate Park
72 Regency Drive
RSVP: Before 16 October 2015
Jolene: 087 405 1825/083 739 2130