The Protection of Personal Information (‘POPI’) Act is South Africa’s major data protection law and it comes into effect on 1 July 2020. First implemented in 2013, the Act gives effect to Section 14 of the Constitution, which provides that everyone has the right to privacy.
The POPI Act changes the way all companies are required to treat personal information. From next week, there will be new laws in place that government, companies and organisations must follow when they’re using or storing people’s personal information.
Companies have one year, until 1 July 2021, to become compliant.
Violations of the Act could result in fines or compensation for damages as high as R10 million.
Here is what you need to know.
All business are affected
The Act sets out rules for the collection, processing, storage and sharing of someone else’s personal information and will hold institutions accountable if they misuse or compromise personal information.
Direct marketing will be hardest hit, as people will now have to agree to being contacted. This means no more cold calls or voicemails from robots.
While data protection laws of many other countries exempt SMEs, this is not currently the case in South Africa.
Furthermore, every person and company is protected by this Act.
What is considered personal information?
The following information is considered personal or “precious goods” according to the legislation:
- Identity/passport number
- Date of birth and age
- Phone numbers (including cell phone number)
- Email address
- Online or instant messaging identifiers
- Physical address
- Gender, race and ethnic origin
- Photos, video footage (including CCTV footage, voice recordings and biometric data)
- Marital relationship status and family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs (including personal and political opinions)
- Employment history and salary
- Financial information
- Education information
- Physical and mental health information (including medical history and blood type)
- Memberships to organisations or unions
NOTE: If this information is posted on your social media pages, you cannot complain about it being used in a data directory.
Relevant sections and applicable dates
Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) commence on 1 July 2020.
These sections are essential parts of the act and comprise sections which pertain to, among others things:
- The conditions for the lawful processing of personal information
- The regulation of the processing of special personal information
- Codes of conduct issued by the Information Regulator
- Procedures for dealing with complaints
- Provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the act
Sections 110 and 114(4) commence on 30 June 2021.
Benefits of the POPI Act
Firstly, the purpose of the POPI Act is to protect people from harm by protecting their personal information.
Secondly, the Act aims to protect people from having their money or identity stolen and to protect their privacy, which is a fundamental human right.
Furthermore, the POPI Act encourages transparency and openness and aims to increase customer confidence in organisations. This means your clients/customers will have more trust and confidence in your business because they their information and their interactions with you are secure and protected.
What this means for consumers
The people whose information is gathered and processed will now have the right to:
- Be notified when personal information is being collected
- Be notified if this information is accessed by an unauthorised person
- Inquire whether a party has their personal information
- Request a copy of their information from the responsible party
- Request the correction or deletion of their personal information
- Object to the processing of their personal information in certain circumstances
- Not have their personal data processed for direct marketing purposes
- Not be subject to a decision based solely on automated processing of their information in certain circumstances (such as automated profiling based on their personal information)
- Submit a complaint to regulators regarding non-compliance
- Institute civil proceedings against those who interfere with the protection of their information
How businesses can become compliant
The main motivation for complying with the POPI Act should be to protect people from harm.
To become compliant, businesses need to capture the minimum amount of required information, ensure its accurate and remove information that isn’t required.
Responsible parties (i.e., your business) can take various steps to comply:
- Appoint an Information Officer
- Raise awareness amongst all employees
- Amend contracts with operators
- Report data breaches to the regulator and data subjects
- Check that they can lawfully transfer personal information to other countries
- Only share personal information when they are lawfully able to
Make sure your business takes the appropriate measures to keep the personal information safe and reduce the risk of your system being breached.
You can read the full act and its various sections here.