The Protection of Personal Information (Popi) Act comes into effect on 1 July, and radically overhauls the way companies are required to treat personal information.
Violations of the Popi Act could result in fines as high as R10 million, which means companies have until 1 July 2021 to become compliant.
All businesses will be impacted. What this means going forward is outreach marketing companies will in future have to get permission to contact customers, which means they will no longer be able to tout for business by way of cold calls or automated bots.
The Act sets out rules for the collection, processing, storage and sharing of someone else’s personal information.
The Act holds institutions them accountable if they misuse or compromise your personal information. The legislation labels your personal information “precious goods” and gives you the rights of protection and the capacity to still have control over your information.
What exactly is personal information?
- Identity or passport number
- Date of birth and age
- Phone numbers – including cell phone number
- Email address
- Online or instant messaging identifiers
- Physical address
- Gender, race and ethnic origin
- Photos, video footage – this includes CCTV footage, voice recordings and biometric data
- Marital relationship status and family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs – this includes personal and political opinions
- Employment history and salary
- Financial information
- Education information
- Physical and mental health information – this includes medical history and blood type
- Memberships to organisations or unions.
Bear in mind, if you publish your personal information on Facebook or social media, you cannot later complain hat it ends up in someone’s else’s data directory.
What are the benefits of Popi?
Standard Bank offers this useful guide for individuals and businesses.
1. The business processes that need to be applied or improved will result in a better quality of organisational data. This will help your business gain a competitive advantage out of big data and will put you in a position to ethically and legally, collect and utilise this information. If you have a smaller business, having quality information is a necessity when making informed decisions.
2. The POPI requirements of putting in place measures to process and secure information can benefit your business. You can use the requirements to develop your current business processes and include processing efficiencies.
3. Developing the contractual arrangements concerning the information being processed by operators along with meeting satisfactory security measures should allow you to identify opportunities. This can put you in a position to create more efficient border control environment with third part relationships.
4. Your customers will have more trust and confidence in you because they will know that their information and all their interactions with you are secure and protected. When you accomplish and maintain POPI compliance, you will be able to confidently reassure customers that their information is safe and secure.
When will POPI affect you?
The Act was signed into law in November 2013. Certain limited sections of the POPI Act have already come into effect but the majority of the POPI Act will only come into effect at a later date, which will be decided by the President.
Which sections have already come into effect?
The definitions in section 1
The Information Regulator (Part A of Chapter 5)
– This deals with the establishment, staffing, powers and meetings of the Information Regulator
– This means that it has been established but no one has been appointed yet
Regulations (Section 112)
– The Minister and the Information Regulator can now make regulations
Procedure for making regulations (Section 113)
– There are no regulations yet, but the process is now in place to make regulations
– The earliest expected draft regulation won’t be before June 2016
Does POPI really apply to you?
Accountability will rest with the “responsible party”, which is a public or private body, alone or with others who determine the purpose of processing personal information. The “responsible party” needs to be a South African resident or occur within South Africa. These are the cases which don’t apply with the POPI Act:
- Specifically household or personal activity
- Appropriately de-identified information
- Various state functions, specifically criminal prosecutions and national security
- Journalism which is under a code of ethics
- Judiciary functions.
Why you should comply with Popi
Popi encourages transparency with the collected information and how it should be processed. This is meant to create openness and increase customer confidence in the organisation. In order to comply with POPI you just need to:
Capture the minimum amount of required information, ensure its accurate and remove information that isn’t required. This should improve the general reliability of the organisations databases.
Identify the personal information and take appropriate measures to keep the information safe, which will reduce the risk of your system being breached and any of the related public relations or legal consequences for your organisation.
Who specifically is affected by this legislation?
Everyone is affected. Every single business will need to become compliant with this Act or face serious consequences. Every person and company is protected by this Act.