The Protection of Personal Information Act (POPI) is law – So where to from here?

Share


Do you remember the old story about how to get things moving? That’s right, the one about the stick and the carrot! Well now we have something new to focus our attention on: Protection of Personal Information (POPI) Act No.4 of 2013 (POPI Act).

So where is the “stick and carrot” for POPI?

Think about how broad the definition of “personal information” can be: customers, employees, suppliers, in fact anyone we interact with as a business.  The POPI Act was signed into law in November 2013 and is expected to become effective in the next few months.  Organisations will then have twelve months to become fully compliant or face the prospect of some potentially stiff penalties (including fines of up to R10 million) or worse reputational damage and loss of customers. That’s the “stick” part of the deal.

The “carrot” aspect is the opportunity to boost confidence in your business by demonstrating the way you manage sensitive personal data. Personal information includes data of customers, suppliers and employees, whether they are in emails, invoices, databases or printouts. This means showing you have processes and procedures in place to handle effectively and securely all aspects of what’s covered in the POPI Act.

Where does POPI come from?

Privacy and Data Protection Acts have already existed in other countries for several years. Examples of these are the European Union (EU) Data Protection Act which came into effect in 1995, the UK Data Protection Act (1998). The POPI Act is modelled on the EU legislation to a large extent, and POPI has been written to ensure that South Africa is line with international best practice.   

Conditions for lawful processing of personal information in the POPI Act

  • Accountability = assigning ownership in your business;
  • Processing Limitation = processing information for lawful  reasons and in a manner that does not infringe privacy;
  • Purpose  Specification =only obtaining and holding personal information for a specific purpose;
  • Further Processing Limitation = Further processing of personal information must be compatible with the purpose for which it was collected;
  • Information Quality = ensuring that information is complete and accurate;
  • Openness = informing individuals that their information has been obtained and the purpose thereof;
  • Security safeguards = the integrity of personal information must be secured using reasonable technical and organisational measures;
  • Data Subject Participation = an individual has the right to request whether an organisation holds their personal information. An individual may request the information is deleted or corrected if it is incorrectly

What does POPI mean to you and your stakeholders?

  • Personal information such as employee and customer information will have to be protected and processed in a different way, in accordance with the conditions of the law;
  • Employee and customer information may not be disclosed to another party without the person’s consent;
  • Employee and customer information will have to be destroyed in a controlled manner when the purpose for which the information is held is no longer valid;
  • Standards will have to be defined for shredding equipment similar to standards in other countries so that the new law can be applied to these in an appropriate manner;
  • Steps should be taken to ensure that personal information stored on removable media such as memory sticks is protected in a controlled manner and consideration should be given to providing advice to consumers in the area.

POPI “Dos and Don’ts”
Do:

  • Understand what the POPI Act means to your business
  • Make sure you have assigned ownership for compliance with POPI
  • Start by conducting an assessment of how far you are already compliant
  • Develop a plan to address areas of non-compliance identified
  • Engage with all the relevant stakeholders impacted by POPI
  • Remember the “stick and carrot” aspects of POPI
  • Think about the implications of POPI for the products and services you provide

Don’t

  • Ignore POPI, it won’t go away!
  • Put off your compliance efforts just because you have a twelve month grace period
  • Underestimate the amount of work that is required to change your business policies, processes and procedures, documentation and systems
  • Panic! POPI compliance is more like climbing Table Mountain than Mount Everest
  • Rush into your compliance efforts; take a structured, project-based approach to make your compliance efforts effective

So where should you start?

A number of steps should be taken to prepare for POPI becoming effective.  These include:

  • Organisational – start a POPI preparation program and appoint an Information Officer to drive your POPI compliance initiatives; an awareness and training programme should be prepared and delivered so that everyone in the business understands the implications of POPI;
  • Legal – review contracts with service providers where personal information is stored on your company’s behalf, for example, if you have outsourcing arrangements in place, ensure that these are amended to include personal information protection. This applies to business partners as well, where customer is shared with them; 
  • Business – identify processes where personal information is involved.  Examples include customer and supplier information, as is the handling of employee information.   These processes should be amended to ensure that they comply with the principles in the POPI Act;
  • Technology – electronically stored personal information should be identified and steps taken to ensure that such information is protected in line with the Security safeguards principle contained in the Act.

Authors:  Dr Peter Tobin,  John Cato, and Professor David Taylor, March 2014.
For further information contact This email address is being protected from spambots. You need JavaScript enabled to view it.%20">This email address is being protected from spambots. You need JavaScript enabled to view it. orThis email address is being protected from spambots. You need JavaScript enabled to view it."> This email address is being protected from spambots. You need JavaScript enabled to view it.