This 3-part article series covers POPIA compliance, solutions, implementation and management:
- POPIA Compliance: 8 conditions a responsible party should be aware of (this article)
- POPIA Compliance: Implementation Solutions
- POPIA Compliance: the power of technology
POPIA was originally enacted in 2013, when South Africa, along with the rest of the world, was becoming aware not only of the growing commercial value of personal information, but the damage that could be done by unauthorised publication and use of personal information collected by companies from their customers, employees and others.
The range of information protected by POPI is extremely wide; any Information relating to an identifiable, living, natural person, or an existing juristic person is covered. Any person or company in South Africa that receives, stores, uses or distributes personal information (That person is referred to in POPIA as a "responsible person") is obliged, when dealing with (or, as POPIA terms it, "processing") personal information to comply with POPIA.
POPIA was brought into effect in July 2020 and responsible parties have been given until 1 July 2021 to ensure that their processing systems and procedures are compliant. The CEO (or equivalent) of every responsible party is automatically designated as the "information officer" of that body and is responsible for ensuring that the responsible party complies.
The consequences of non-compliance can be severe. POPIA provides that, in a case of non-compliance, the Information Regulator can issue a compliance notice against the offender and, if the non-compliance continues, a court can impose a fine of up to R10 million or a prison sentence of up to 10 years.
For processing to be POPIA-compliant, a responsible party must comply with these eight conditions:
- Accountability: This requires creating systems and policies to regulate processing and ensuring that all staff are trained to implement them.
Processing limitation: Information collected must be adequate, relevant and not excessive for the purpose for which it is required. The data subject (that is the person to whom the information relates) must have consented, unless the processing is necessary for fulfilment of a contract with the data subject, protection of a legitimate interest of the data subject or compliance with a legal duty of the responsible party. It must have been collected directly from the data subject unless it is already public, the data subject has consented, or it is required by the responsible party to comply with a legal obligation or for court proceedings.
Purpose specific: Personal Information may only be collected for specific, defined and lawful purposes. Only information that is relevant for the purpose for which it was collected may be retained and information must be deleted or identified when it is no longer required.
Further processing restrictions: Any processing beyond the original purpose for which information was collected is only allowed if the further processing is compatible with the original purpose.
Information quality: The responsible person must ensure that any information it processes is accurate, complete, not misleading and updated when necessary.
Openness: A responsible party must ensure that data subjects are aware of what information is being collected, the source of the information, the responsible party's identity, the purpose of collection, whether the supply of information is voluntary or mandatory, the consequences of failing to provide information, whether the collection is authorised or required by law and whether the responsible party intends to transfer the information to another country.
Security safeguards: Measures must be put in place to protect against data breaches.
Data subject participation: Data subjects may request access to their personal information and deletions and corrections of information held.
POPIA makes special provision for direct marketing; personal information may not be used for that purpose unless the data subject has consented or is already a customer of the responsible party.
POPIA also regulates cross-border transfers of personal information. A responsible party may not transfer personal information to a third party in a foreign country, unless the foreign country has a law that provides protection for personal information similar to POPIA, or is subject to a binding corporate rules or a contract that provides protection for the personal information concerned, or if the data subject consents.
As you can see, POPIA places onerous obligations on all organisations that process personal information. It is therefore important for organisations to implement a strategy to ensure they are fully compliant.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.