We offer basic guidance on how to comply with POPI, officially in effect in South Africa from 1 July, 2020.
POPI is designed to promote the protection of personal information and to bring South Africa’s privacy laws in line with international standards.
It limits the rights of businesses to collect, process, store, and share personal information. It also makes businesses accountable for protecting the privacy of this information.
POPI’s commencement will impact a vast number of South African businesses, both large and small.
The POPI commencement date
South Africa’s long-awaited Protection of Personal Information (POPI) Act came into effect on 1 July, 2020.
Businesses now have a 12-month grace period before compliance with POPI becomes mandatory.
Non-compliance after this period could result in hefty fines or even prison time. So it’s vital for organisations to know how to comply with POPI.
Key requirements for complying with POPI
POPI is based on eight conditions for the lawful processing of personal information and under each condition there are a number of key requirements.
Read the full legislation or see our summary of each condition below.
Personal information must be processed lawfully and in a reasonable manner.
It should not infringe on any person’s privacy.
2. Processing limitation
The processing of personal information should always be relevant and never excessive.
There are particular circumstances under which personal data may be processed. As such, the data subject’s consent should be obtained before his or her information is processed.
3. Purpose specification
Personal information may only be collected for a specific, lawful and explicitly defined purpose that relates to the data collector’s function or activity.
Information must not be retained for any longer than is absolutely necessary.
4. Further processing limitation
Any further processing of personal information must be related to the purpose for which the information was originally collected.
5. Information quality
A reasonable party must ensure that any personal information collected is complete, accurate, truthful and updated.
A responsible party must document its process of collecting information as required by POPI’s provisions. Data subjects must be notified when their personal information is processed.
This condition often results in organisations compiling detailed privacy policies to explain their privacy operations.
7. Security safeguards
Personal information must be kept confidential and its integrity maintained.
Responsible parties must take appropriate measures to guard any personal information against unlawful acts and to prevent its loss, damage or destruction.
8. Data subject participation
Data subjects must be able to confirm whether or not an organisation holds any of their personal information.
They must also be allowed to correct their information or to request that the responsible party destroy or delete it.
POPI compliance tips for small businesses
These simple measures may help your business ease into POPI compliance:
- develop internal ethical standards for the processing of personal information
- provide adequate training for employees involved in processing personal information
- establish new internal procedures for personal information
- keep a record of each processing activity
- review or develop internal guidelines for employees.
What we offer at The Workspace
At The Workspace, we offer affordable, fully serviced offices and coworking, and all our members have access to meeting rooms, boardrooms and a range of business services. For more information, visit our branch pages, call us on 0861 250 259 or contact us online.
The Workspace doesn’t offer professional advice about how to comply with POPI or other laws. However, we do aim to provide our members and other small to medium businesses in South Africa with useful resources.