Various sections of the Protection of Personal Information Act, 2013 (POPIA) came into effect on 1 July 2020. Since then, there has been a 12-month phase in period. This period will expire soon. On 1 July 2021, all businesses will have to be compliant with POPIA's requirements.

In a franchising context, this means that a franchisor's internal processing of personal information must be in line with POPIA's provisions. This will extend to the personal information of employees and individual clients, but it is important to note that POPIA's definition of personal information covers information relating to individuals (people) as well as juristic persons (e.g. companies). Therefore, franchisors must also ensure that they adhere to POPIA's requirements when they process franchisees' personal information, even if they are companies. Franchisors may also need to assist their franchisees to ensure that they process consumers' personal information lawfully.

POPIA compliance requires a comprehensive and ongoing information management process.

This can include the following steps:

  • Establish a POPIA task team.
  • Appoint an information officer.
  • Check whether prior authorisation will be required from the Information Regulator.
  • Create the necessary processes, notices and other required documentations.
  • Ensure appropriate training of all relevant personnel.
  • Review the organisation's processing of personal information and the type of information processed.
  • Check whether personal information will be transferred across South Africa's borders and ensure compliance with POPI's requirements relating to this.
  • Make sure that all direct marketing will comply with POPI's requirements.
  • Review information security and safeguards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.