The new Protection of Personal Information Act (POPI) was signed into law in November 2013. POPI is legislation similar to the UK’s Data Protection Act and aims to give effect to the constitutional right to privacy as enshrined in section 14 of our Consitution. POPI therefore prescribes some “rules” in terms whereof businesses will need to process all personal information (that qualifies as “personal information”in terms of POPI) in future.
POPI is not a bad thing. If you read about POPI on the internet, the picture may seem a bit gloomy. There is unfortunately also a lot of wrong information available on POPI on the internet. We therefore urge you to speak to someone with the relevant knowledge to assist you with interpreting the way in which POPI will apply to your particular business.
It is important to understand that while POPI has been “signed into law”, therefore meaning that it is an Act (and no longer a Bill that may still change), the majority of provisions are not yet in force. This means that the majority of povisions cannot yet be enforced.
A commencement date will be published in the government gazette and after a one year period from the commencement date, all businesses will need to comply with the POPI requirements (unless the one year period is extended). In effect this means that there will be a “one year compliance period” for businesses to get their ducks in a row. Don’t be fooled by this….There is no quick fix for POPI and businesses should consider this as a “longer term” project. Therefore, the time is most definitly right to start your compliance project (if you have not done so).
POPI is priciples based. This mean that POPI does not necessarily bed down hard and fast rules in all circumstances. No, POPI rather prescribes certain principles (similar to “good business practices” but with the intention to compel businesses to implement these practices) that all businesses will need to adhere to.
In further articles we will discuss the different conditions in more detail, but by way of summary you can consider the following:
- In terms of POPI you need to identify the reason why you want to use the personal information and then only use it for those specific reasons. POPI refers to this as the “purpose of use”. The reason for this rule is that a person should be able to know for what reason you will use his or her information.
- In certain circumstances you may only use (the Act talks about “process”) personal information if you have consent to do so. But note that you will still be able to use information in some instances even if you do not have consent.
- You need to implement meassures to ensure that you do not lose personal information or share it with other businesses not entitled to have it.
- People have the right to ask you what information about them you hold.
- When you market products or services to people, they always have the right to opt out. In some instances you will not even be able to market to people at all without their consent.
- POPI has implications for transborder flow of information (this will be important if you store information cross border or make use of cloud service providers for example).
- POPI very specifically requires certain measures from you when you use service providers that will process personal information on your behalf.
- POPI requires from you to deal with children’s information and “special information” (as defined in POPI) in a very specific manner.
POPI should not be a threat to your business. You can rather embrace this and use it as a differentiating factor, considering that your competitors may not yet be compliant.
Yes, penalties of up to R 10 000 000 could be imposed, but our view remains that reputational risk is a real factor that should also be considered. If you have not started your compliance project, the time is now. You can contact Jana van Zyl at firstname.lastname@example.org for more information.