An overview of the POPI Act and the impact it has on businesses.

The Protection of Personal Information (POPI) Act has been signed into law by the President and published in the Government Gazette Notice 37067 in November 2013. The Protection of Personal Information (POPI) Act, No 4 of 2013, promotes the protection of personal information by all public and private entities. The POPI Act serves various purposes, namely:

  • Regulating how personal information may be process by means of establishing conditions that meet international standards for the lawful processing of personal information.
  • Ensuring the constitutional right to privacy by protecting personal information.
  • Establishing voluntary and compulsory measures, including Information Regulator.

To whom does POPI apply to?

  • Any public or private body or any other person which, unaided or in combination with others, regulates the purpose of and means for processing personal information (Responsible Party). The "Responsible Party" of every company is accountable for ensuring and enforcing its own compliance.
  • Any person who processes personal information for a Responsible Party in terms of a mandate or agreement, without coming under the direct authority of the Responsible Party.

It’s really about taking special care of the personal information that is entrusted to you by your customers and clients. If you act recklessly with this information, you not only face regulatory sanctions, but you also run an actual risk of damaging client relationships and overall business reputation. Non-compliance may have far reaching consequences and could expose the Responsible Party to a penalty or fine of R10 million and/or imprisonment of 12 months up to 10 years.

What personal information does POPI apply to?

Most businesses in South Africa will be impacted by the POPI Act in one or more ways. The personal information that the POPI Act protects is that of an identifiable person, including information relating to:

  • Gender, race, marital status, nationality, sex, mental health, religion, belief, language, etc.
  • Education or financial, criminal, medical and employment history.
  • Biometrics, including physical, behaviour or physiological characterisations (DNA analysis, retinal scanning, blood type, etc.)
  • Email address, telephone number, location information, online identifier, etc.
  • Correspondence of a private nature.
  • Opinions or views that another person has relating to the person.
  • The person’s name, if disclosure of the name would lead to the reveal of information about the person.

Personal information does not refer to information that is already in the public domain or is not used or intended to be used for the purpose of trade or commerce.

What are the information processing conditions?

The POPI Act includes eight information processing principles or conditions, namely: accountability, data subject participation, and further processing limitation, information quality, openness, processing limitation, purpose specification and security safeguards. These conditions ensure improved data quality and business management.

When does the POPI Act come into effect?

Once the Act is made effective, companies will be given a year’s grace period to comply with the Act. The Act was partially enacted in 11 April 2014. We are awaiting the commencement date of the other sections of the Act whereby the Information Regulator will start enforcing POPI one year after this commencement date. Indications are that the POPI Act might be fully implemented from the end of May 2017. Realistically, South African businesses should already have started their POPI implementation processes, in order to ensure compliance.

Who is the Information Regulator?

The Information Regulator is an independent juristic body that has been appointed in 2016 in terms of POPI. The Information Regulator is, among others, responsible for educating the public about POPI, handling of complaints, enforcing and monitoring of compliance etc. SERR Synergy assist businesses and organisations to fully comply with procedures as required by POPI by setting up a comprehensive Information Security Management System (ISMS).

You May Also Like

Direct Marketing vs the Consumer Protection Act and POPI Act (part 2)
June 14, 2018
Last week we dealt with the definition of direct marketing and whether a consumer can restrict a supplier from communicating directly with him/her.
A checklist when preparing for POPI and Data Laws
September 04, 2017
The Protection of Personal Information Act (POPI) may not yet be effective, but businesses need to make compliance a top priority for 2017.  Irrespective of whether POPI has been fully implemented, businesses are required to exercise a duty of care in respect of the personal in
The modern battlefield of Direct Marketing
March 05, 2019
One often feel overwhelmed by all these rules and how to comply with legislation, but in essence  the main objective of the Consumer Protection Act (CPA) is simply to provide a fair and sustainable market place for consumers.  Bearing this in mind, it is far easier to comply wi