All businesses, large or small, are required to comply with the POPI Act as 1st July 2021 and this will be enforced by sanctions such as fines and even criminal charges against the heads of companies and directors; that could also lead to imprisonment. It has taken 8 years for this law to be fully enacted, since it was first introduced in 2013.
POPI deals with, among other things, the processing of personal information, account numbers and children’s information – with the finance and marketing departments being affected the most. The act regulates how we collect information, what we do with the information, how it is stored securely and ultimately when and how it is destroyed after use. The purpose of POPI is to protect all personal information in order to stop its abuse, which in many cases leads to identity theft and money being stolen from people’s accounts.
Those in possession of people’s personal information are required to implement and maintain effective security safeguards that include, but not limited to, administrative, technical, and physical safeguards; as well as appropriate technical and organisational measures. In each case, these need to be adequate to ensure the security and confidentiality of this information; and to protect against any anticipated risks its integrity, protect against unauthorized access to or use. They also have the obligation to protect against the use of information that is not in accordance with any agreement, and protect against accidental loss, destruction, damage, alteration or disclosure.
This has great implications for companies as all employees, contractors, consultants, temporary and other workers at companies, including all personnel affiliated with third parties must adhere to this law. It is incumbent of company executives to develop new internal policies and guidelines to regulate and oversee how personal information is managed.
Let’s Get Specific
What is personal information?
Personal information refers to any information that identifies you or specifically relates to you, or your employees stored or processed on company information systems. Personal information includes, but is not limited to, the following information about you and / or your employees:
- Marital status
- National origin
- Age
- Language
- Birthplace
- Relevant financial history
- Identifying number (like an employee number, identity number or passport number)
- E-mail address; physical address (like residential address, work address or your physical location); telephone number
- Race; gender;
- Full names and initials
Personal information includes special personal information, as explained below.
While some initial difficulties are to be expected as businesses adapt to these new regulations, the passing of the POPI Act has equipped South Africa with a powerful tool to protect its citizens from some particularly damaging and widespread forms of fraud and even cybercrime.
Key requirements for complying with POPI
POPI is based on eight conditions for the lawful processing of personal information and under each condition there are a number of key requirements.
1. Accountability
Personal information must be processed lawfully and in a reasonable manner.
It should not infringe on any person’s privacy.
2. Processing limitation
The processing of personal information should always be relevant and never excessive.
There are particular circumstances under which personal data may be processed. As such, the data subject’s consent should be obtained before his or her information is processed.
3. Purpose specification
Personal information may only be collected for a specific, lawful and explicitly defined purpose that relates to the data collector’s function or activity.
Information must not be retained for any longer than is absolutely necessary.
4. Further processing limitation
Any further processing of personal information must be related to the purpose for which the information was originally collected.
5. Information quality
A reasonable party must ensure that any personal information collected is complete, accurate, truthful and updated.
6. Openness
A responsible party must document its process of collecting information as required by POPI’s provisions. Data subjects must be notified when their personal information is processed.
This condition often results in organisations compiling detailed privacy policies to explain their privacy operations.
7. Security safeguards
Personal information must be kept confidential and its integrity maintained.
Responsible parties must take appropriate measures to guard any personal information against unlawful acts and to prevent its loss, damage or destruction.
8. Data subject participation
Data subjects must be able to confirm whether or not an organisation holds any of their personal information.
They must also be allowed to correct their information or to request that the responsible party destroy or delete it.
POPI compliance tips for small businesses
These simple measures may help your business ease into POPI compliance:
- Develop internal ethical standards for the processing of personal information.
- Provide adequate training for employees involved in processing personal information.
- Establish new internal procedures for personal information.
- Keep a record of each processing activity.
- Review or develop internal guidelines for employees.