It seems that there’s a new “it” kid in terms of South African legislation. The Protection of Personal Information Act 4 of 2013 (“POPI / the Act”) seems to be the new buzz phrase in South Africa, but what is it really and what does it mean for you?
In 2013, South Africa passed the Protection of Personal Information Act (POPI). Although it predates the General Data Protection Regulation (“GDPR”), it's often referred to as South Africa's GDPR equivalent.
POPI was enacted to give effect to the constitutional right to privacy by safeguarding personal information when processed by a responsible party by protecting data subjects from security breaches, theft, and discrimination. To accomplish this, it outlines eight principles that South African data processors must follow.
POPI applies to the processing of personal information that is entered in a record by or for a responsible party by making use of automated or non-automated means provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof.
There’s still a bit of confusion with regards to who needs to adhere to POPI guidelines. It is important to note that POPI has an impact on all businesses in South Africa, even if a business does not use personal information in its day-to-day business activities. As the Act applies to “all processing” of personal information which is entered into a record by a responsible party. This is why there is a need to have systems in place to deal with personal information.
Personal information, in terms of POPI, is described as personal information is data that can be used to identify a person. It is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.” This information, includes, but is not limited to information relating to -
Religion / beliefs / culture
Educational / medical / financial / criminal or employment history
ID number, Email address, Physical address, telephone number.
A question that is asked often is how the provisions of POPI will affect someone’s business and there are some key aspects for business owners to take note of. POPI will affect the way information is managed by businesses and will, amongst other requirements, bring in a need for businesses to classify any consumer data that it holds and identify whether it constitutes personal information. Businesses will also be required to identify any ‘records’ and ‘sensitive’ information it might hold and third parties (in most cases this is the data subject) will have to be notified as soon as possible if there is a privacy breach and personal information is compromised.
POPI places duties on responsible parties to ensure that personal information of data subjects is adequately protected, and therefore requires responsible parties to put measures in place to ensure such protection.
POPI will have a significant impact, especially on businesses that are data intensive, and process large volumes of personal information. the fact that POPI requires constant monitoring, training of employees and implementation of security measures will fundamentally affect the manner in which businesses deal with data containing personal information.
It may seem that POPI has more cons that it does pros, but business owners should note that there are some noteworthy benefits presented by the Act, namely-
POPI is a real boon for customers in that it affords them rights and protection, but in doing so it also businesses the opportunity to earn the trust of their customers by keeping them informed about how their information is used and processed.
Quality of Information
The processes followed in collecting and processing personal information also offer opportunities to improve the quality of the information collected.
Streamlining Business Processes
There is also an opportunity to improve the way data is used and processed. This can lead to smarter, faster, and more secure ways of using information which, can lead to a better run business.
Making sure that businesses are compliant with the requirements set forth in POPI will take time as deliberate changes need to be made in how they handle personal information, something which cannot be left until the last moment. One of the best things that businesses can do from here on out is to implement processes that will normalise POPI compliance in the day-to-day operation of the business.
The sooner, the better.