POPI Act FAQ – What’s next?

by Lucy Phillips. Companies have 12 months to comply with the Protection of Personal Information Act (or POPI Act) after it came into effect on 1 July 2020. POPI is South Africa’s equivalent of the EU GDPR. It sets some conditions for responsible parties to lawfully process the personal information of data subjects (both natural and juristic persons). The President of South Africa has proclaimed that the Protection of Personal Information Act (POPI Act or POPIA) commences on 1 July 2020. So now what? We break down the most common queries and what business can expect within the next year.

What are the important dates?

As mentioned, on 1 July next year, the entire POPI Act will be fully enacted. Organisations have one year to become fully complaint or face possible sanctions.

What data is protected by POPI?

All personal information processed is required to be processed lawfully. The definition of personal information is wide, but includes:

• Names, email addresses, identity number, physical and postal addresses.
• Opinions, political and trade union affiliation.
• Religion, race, gender, sexual orientation, age, mental health.
• Education, medical, financial, criminal or employment history.
• Biometric information.

In summary, any information that can be used to identify a data subject, is personal information. Importantly, in terms of POPI, both natural and juristic persons are considered data subjects.

What is processing?

Any touching of the data is considered processing, subject to the exclusions of pure household  or journalistic purposes.

Who is responsible?

Who the Responsible Party is, is one of the most important questions. The Responsible Party is the party who chooses how the data is collected, why it is collected, what the data is used for, and how it is destroyed. The Responsible Party bears the onus of ensuring that when they collect the data, and make any decisions regarding the data, that they do so in terms of POPI.

What is our potential liability for non-compliance?

In terms of POPI, the Information Regulator can issue a fine of up to R10 million, or imprisonment of up to 10 years for the Information Officer in the event of a breach or a POPI infringement. If it can be shown that a company has taken pro-active steps towards compliance, the Information Regulator is more likely to look favourably on that company in the event of a breach.

How do we take steps towards compliance?

Security safeguards are just one element of data protection. The best IT security in the world is not fool proof if measures are not put in place at a human level. POPI requires compliance at every step. POPI is a people problem. POPI requires planning and buy in from all stakeholders in an organisation. First, assess your POPI readiness and what you have in place now. 12 months may seem like a long time but for some organisations it will be difficult to turn around longstanding practices and procedures around data collection, storage, management, retention and destruction. Once companies have established their risk and requirements, they will have a better idea of how much time will be needed  and what measures will be appropriate to implement, by the 1 July 2021 deadline.

Lucy Phillips heads up Consilium Legal, after founding the company with Natalie Laurencik in 2012. As a specialised consultancy, Consilium is focused on the commercial aspect of its clients’ businesses, such as commercial, corporate and advisory work. Having previously worked at FNB, where she was Legal Contracts Manager, and as Head of Legal (procurement) at Rand Merchant Bank; Phillips has extensive experience and expertise in staff training and continuing education on data privacy; consumer protection; roles and duties of directors under the Companies Act 2008 and the laws relating to social media.

– Receive the Retailing Africa newsletter every Monday and Thursday • Subscribe here

– Take advantage of Retailing Africa’s ‘Pay-what-you-can’ business support package • Read more