The Protection of Personal Information Act (POPIA) is set to take effect on 1 July 2021.  This means that organisations have less than three months to comply with POPIA.

The Act aims to promote the protection of personal information processed by public and private bodies. POPIA sets out conditions and minimum requirements for the processing of personal information and seeks to regulate every step of the processing of personal information from how personal information must be handled when it is collected up to the stage where it is destroyed.

What is ‘Personal Information’ and what does ‘Processing’ mean?

Personal information means information relating to an identifiable, living, natural person and, where it is applicable, an identifiable, existing juristic person (companies etc.) including, but not limited to:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • information relating to the education or the medical, financial, criminal or employment history of a person;
  • any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person (which is not publicly available);
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Processing means any operation or activity concerning personal information including collection, usage, storage, dissemination, modification, or destruction.

Factors that businesses should consider:

Businesses with customers, employees and suppliers should review their use of personal information to ensure that the processing of personal information conforms to the requirements of the Act. 

  1. Review the nature of customer/employee/supplier information that is collected by your organisation and how it is collected.

Businesses need to ensure that personal information being processed is based on one or more of the following lawful bases:

  • Consent: the data subject or competent person where the data subject is a child has given clear consent for the business to process the personal information for a specific purpose.
  • Contract: processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party.
  • Legal obligation: processing complies with an obligation imposed by law on the business.
  • Legitimate interest of data subject: processing protects a legitimate interest of the data subject.
  • Responsible party and third-party legitimate interests: processing is necessary for the legitimate interests of a third party or of the business.
  1. Determine why the personal information is being collected, where is It stored and how long will it be retained?
  • Personal Information collected should be limited and relevant in relation to the specific purpose for which it is processed.
  • Businesses cannot keep a record of personal information once the reason for which it was collected no longer exists, unless so required by law.
  1. Data Security
  • The Act requires a business to put in place “appropriate, reasonable technical and organisational measures” to prevent loss, theft, or damage to personal information. Businesses must ensure that Personal Information is processed securely and must have appropriate information technology measures to protect Personal Information against accidental or unlawful destruction, loss, amendment or unauthorized access.
  • The suitability of security measures will depend on the business and the type of personal information it holds.
  1. Third party service providers
  • In instances where businesses use third parties to process Personal Information, the business must ensure that third parties have adequate security measures in place to safeguard Personal Information.
  1. Training
  • Part of becoming POPIA compliant is ensuring that relevant employees and stakeholders are adequately trained and up to date with the provisions of the POPI Act, regulations, codes of conduct and the importance of POPI compliance.

Consequences of non-compliance with the POPIA Act

Non-compliance with the requirements of the POPI Act may lead to the Regulator imposing an administrative fine or even imprisonment. Non-compliance may also result in serious reputational damage for a business.