South Africa’s Protection of Personal Information (POPI) Act is due to come into full effect.
Its commencement has been delayed – like much else – by the coronavirus pandemic. However, the wisest course of action for businesses is to be prepared.
POPI is designed to promote the protection of personal information and to bring South Africa’s privacy laws in line with international standards.
It limits the rights of businesses to collect, process, store, and share personal information. It also makes businesses accountable for protecting the privacy of this information.
The Information Regulator wrote a letter to president Cyril Ramaphosa requesting that the outstanding aspects of POPI be brought into effect by the second quarter of 2020.
POPI’s commencement will impact a vast number of South African businesses, both large and small.
The POPI commencement date
It was expected that the commencement date for the Act would be 1 April 2020. Because of the pandemic, the start of POPI has been delayed for now.
With the legislation “ready to go”, it’s likely to become a focus once responding to the coronavirus crisis is no longer priority number one.
A one-year grace period will apply after the commencement date.
Non-compliance after this period could result in hefty fines or even prison time. So it’s important for organisations to know how to comply with POPI.
Key requirements for complying with POPI
POPI is based on eight conditions for the lawful processing of personal information and under each condition there are a number of key requirements.
Read the full legislation or see our summary of each condition below.
Personal information must be processed lawfully and in a reasonable manner.
It should not infringe on any person’s privacy.
2. Processing limitation
The processing of personal information should always be relevant and never excessive.
There are particular circumstances under which personal data may be processed. As such, the data subject’s consent should be obtained before his or her information is processed.
3. Purpose specification
Personal information may only be collected for a specific, lawful and explicitly defined purpose that relates to the data collector’s function or activity.
Information must not be retained for any longer than is absolutely necessary.
4. Further processing limitation
Any further processing of personal information must be related to the purpose for which the information was originally collected.
5. Information quality
A reasonable party must ensure that any personal information collected is complete, accurate, truthful and updated.
A responsible party must document its process of collecting information as required by POPI’s provisions. Data subjects must be notified when their personal information is processed.
This condition often results in organisations compiling detailed privacy policies to explain their privacy operations.
7. Security safeguards
Personal information must be kept confidential and its integrity maintained.
Responsible parties must take appropriate measures to guard any personal information against unlawful acts and to prevent its loss, damage or destruction.
8. Data subject participation
Data subjects must be able to confirm whether or not an organisation holds any of their personal information.
They must also be allowed to correct their information or to request that the responsible party destroy or delete it.
POPI compliance tips for small businesses
These simple measures may help your business ease into POPI compliance:
- develop internal ethical standards for the processing of personal information
- provide adequate training for employees involved in processing personal information
- establish new internal procedures for personal information
- keep a record of each processing activity
- review or develop internal guidelines for employees.
What we offer at The Workspace
At The Workspace, we offer affordable, fully serviced offices and coworking, and all our members have access to meeting rooms, boardrooms and a range of business services. For more information, visit our branch pages, call us on 0861 250 259 or contact us online.
The Workspace doesn’t offer professional advice about how to comply with POPI or other laws. However, we do aim to provide our members and other small to medium businesses in South Africa with useful resources.