The POPI Act is Here. What Does it Mean for you?

The practise of sharing and collating information presents itself in our everyday lives. Whether you are consulting with your attorney, getting your nails done at your favourite spa, joining a webinar on Covid-19 or participating in an online survey, you will find yourself divulging personal information on a regular basis.

The Protection of Personal Information Act 4 of 2013 (“the Act”) has come to fruition on the 1st of July 2020, and serves the purpose of giving effect to the constitutional right to privacy by ensuring information is processed in a responsible manner so as to prevent security breaches, theft, and discrimination. It is important to note that the Act does not impose an obligation of obtaining consent from data subjects before processing their data but rather creates conditions for the lawful processing of personal information of South Africans.

Even though the Act has already come into play, you have exactly one year from date of commencement to ensure that you align with it. The Information Regulator will begin enforcing the Act once the 1 year grace period has lapsed.

Although the vast majority processes information, not everyone needs to comply with the Act. 

The point of departure would be to ask yourself two questions:

  1. Are you based /domiciled/ registered in South Africa?; and
  2. Do you process personal information in South Africa or have an operator processing information in South Africa?

If you answered yes to the above questions then you do in fact need to ensure compliance with the Act.

Section 6 and 7 of the Act lists the parties who are exempt from complying with the Act, these include:

  • data processed for personal reasons
  • data that is de-identified and cannot be reinstated
  • data process by (or for) a public body relating to national security, law enforcement, or the justice system
  • data processed by a province’s Cabinet and committees or Executive Council
  • data processed for literary or artistic expression or for the purposes of journalism. 

The Act prescribes 8 conditions for the lawful processing of information:

  1. Accountability – the responsible party must ensure that all the conditions are met prior to processing data.
  2. Processing limitation – this provides strict controls on what it means to lawfully process data.
  3. Purpose specification – you must collect information for a specific person and the data subject must be aware of this purpose. Further, once you no longer need the information for processing purposes you must delete or destroy them unless required by law.
  4. Further processing limitation – this explains how you can or cannot process data. You may only process data for the purpose it was collected.
  5. Information quality – requires that you take all necessary steps to ensure the data you collect and process is accurate and complete.
  6. Openness – This refers to the Promotion of Access to Information Act 2 of 2000. It is your duty to maintain strict documentation of all the processing activities you undertake.
  7. Security safeguards – The responsible party must employ appropriate, reasonable technical and organisational measures designed to prevent both unlawful access and the loss or damage of the personal information.
  8. Data subject participation – stipulates the rights of the data subject.

Failure to comply with the Act is an offense and may attract a fine of up to R10 million and/or imprisonment of up to 10 years.

Appointing a person to ensure compliance with the Act and updating your policies and practices would be a step in the right direction to avoid legal action being taken against you. Even though you have a year to ensure compliance before you are penalised, it would be best to get the process started as soon as possible so that you can start, and perfect the implementation of the Act.