A checklist when preparing for POPI and Data Laws
The Protection of Personal Information Act (POPI) may not yet be effective, but businesses need to make compliance a top priority for 2017.
Irrespective of whether POPI has been fully implemented, businesses are required to exercise a duty of care in respect of the personal information of other people and their own companies in terms of the Companies Act to avoid significant civil claims.
History of the POPI Act
POPI is not a unique phenomenon to South African law. Other countries have the same type of legislation to safeguard the personal information of their “data subjects”. The general consensus appears to be that POPI is well thought through as it was bench-marked with the “best of” other similar international laws, learning from their deficiencies and blunders.
- The law was partially enacted in 2014 and we are currently awaiting the commencement date of the other sections of the Act, after which the Information Regulator will start enforcing POPI. Indications are that POPI will be fully implemented as from 2018. After the commencement date, businesses will only have one year to comply or face weighty penalties.
- If your business processes personal information, you will most likely be impacted by POPI, in particular those businesses operating within the Marketing, Healthcare and Financial Services sectors.
Most companies made parallel changes with the inception of the Consumer Protection Act (CPA) way back in 2008. With POPI demanding the same level of commitment and consideration from company executives, it is critical to steer organisations in the right direction by preparing for and accommodating new data legislation. Realistically, South African businesses should already have started their POPI implementation processes in order to ensure compliance.
What is the purpose of the POPI Act?
The POPI Act in simple terms sets conditions for how you can legally process personal information. POPI regulation fundamentally views personal information as being valuable possessions and consequently aims to give you, as the possessor of your personal information, certain rights of protection. Its main purpose is to ensure that when storing, processing, gathering, and distributing another entity’s personal information, all South African entities can be held accountable should they compromise or exploit personal information in any form.
- You should know that this right to protection of “personal information” is relevant to individuals and any legal entity such as companies, communities and any other legally acknowledged organisations. These entities are considered to be “data subjects”and have the same right to protection of their information.
- This simply means that while you as a consumer have rights and protection, you and your company are considered “responsible parties” and have the same responsibility to protect other parties and their personal information. For companies, this would include protecting information about your employees, vendors, business partners, service providers, etc.
We live in an information era and along with this evolution comes the obligation for every individual to safeguard their own information. For example, you cannot accuse someone else of sharing your personal information when you widely publish exactly the same information on public domains or directories such as Facebook or LinkedIn. With advanced technology it is extremely easy to gain access to and collect and process high volumes in a very short period of time. It is important to note is that this information can be used for additional processing or can even be sold. Imagine the permanent damage that this can cause companies and private individuals!
The POPI Act challenge
Integrating POPI into the daily operations of a business will definitely require a substantial amount of time and determination, for instance updating all business practices; training and apprising employees; and updating technology solutions. POPI may seem to be subject to manipulation and challenging to understand when you apply it to your specific circumstances as it deals with intangible concepts. Where should a business owner start?
5 Most important points to consider when processing personal information:
- Record your data and personal information – know where, what type of and by whom all personal information is being processed (information storing, controlling and deploying)
- Prepare for dealing with numerous regulators and authorities – the Information Regulator, SARS and Financial Services Board, etc.
- Evaluate all service agreements relating to data processing – update contracts accordingly and keep them proximate – clear roles should be defined for everyone in the processing chain
- Ensure that all fundamental responsibilities towards customers are in place and executed – interaction with customers should be professional and satisfying
- Prepare for executing an all-inclusive POPI assessment by seeking practical legal advice and guidance – rather consult with professionals and spend adequate time and money to ensure you are POPI compliant.
Fortunately the implementation of POPI in your business does not have to be a time-consuming or demanding task if you have implemented an Information Security Management System. By implementing POPI, you have an opportunity to evaluate and streamline your business operations, policies and processes based on comprehensive business practices by embracing applicable and cost-effective technological solutions.