Are you sure your company is POPIA compliant?
by Natalie Laurencik. The SA information regulator takes strong action against POPIA infringements – could your company be next in the firing line over customer data protection?
by Natalie Laurencik. Could your organisation find itself in the same boat as social media giants, WhatsApp and Facebook, with the South African information regulator when it comes to the sharing of personal information across different responsible parties – even those within the same group of companies as WhatsApp and Facebook are?
This strong reaction from the information regulator should cause us all to sit up and take notice of this section of POPIA which will find application very often in business; and which could easily be overlooked as it features in chapter 6 of POPIA, and not in the conditions for lawful processing. Section 57 and 58, seeks to augment the conditions for lawful processing of personal information by specifying that certain categories of personal information will require prior authorisation before responsible parties may process or continue to process such information. As defined in POPIA, “Responsible Party” is a public or private body or any person which, alone or in conjunction with others, determines the purpose of an means for processing personal information. One of these such categories is the processing of “unique identifiers”, which are for example an identity number, student number, telephone number, email address, policy number or reference number. If you process or intend to process this category of information, other than for a purpose for which the identifier was specifically intended at collection; and with the aim of linking such information together with information processed by other responsible parties, you will need to apply to the Information Regulator for permission.
The nature of this category is broad enough to capture a vast array of business transactions and dealings. For instance, an account number shared within a retail group (even if it only bears reference within said group); or a telephone number shared between client and marketing company (in certain instances). As long as it enables one to identify a particular data subject it will fall within the ambit of this section. It is important to note that it will not be necessary to obtain prior authorisation if the relevant industry is governed by a code of conduct which has been agreed to by the information regulator. Thus, in a great many industries, it will be encouraged to collaborate on the formulation of a set of rules to govern the processing of information in their particular circumstances to negate the need for continuous and repetitive applications for authorisation in terms of section 57.
There is however some good news in that you will only need to apply once for the prior authorisation in a specific set of circumstances; and that the information regulator has on, 11 March 2021, published guidance on when and how we should go about requesting such prior authorisation, the steps to do so and the forms to complete, same can be found here. However, until then a responsible party may not continue to process such information until it has either received authorisation from the information regulator or notice that a further investigation will not be conducted. This process should not take more than four weeks, though if a more detailed investigation is required this is permitted to take up to 13 weeks. Once a decision is issued it has the effect of an “enforcement notice” issued in terms of section 95 of POPIA and which will contain, among other things, a demand that the responsible party take specific action or refrain from specific action in a specified time period and also the responsible parties right to appeal. And to give all of this some teeth, the usual penalties will apply if the Responsible Party is found guilty of contravening these provisions as follows:
- If the responsible party fails to notify the Regulator of any processing that is subject to prior authorisation in terms of section 58(1) of POPIA.
- If the responsible party has notified the Regulator in terms of section 58 (1) of POPIA and carries out personal information processing before the investigation by the Regulator is completed or before receiving notice that a more detailed investigation will not be conducted.
Any person (including an organisation as per the definition of a person in POPIA) convicted of an offence as stipulated above is liable to a fine or imprisonment for a period not exceeding 12 months, or to both. In addition to a possible administrative fine of up to R10 million.
Natalie Laurencik is co-founder and director of Consilium Legal, a boutique legal and business advisory. She has been a practicing attorney for 13 years. Her expertise lies in commercial law; with a strong focus on the media, advertising, and public relations sector. She also has a keen interest in privacy and data protection, and is immersed in compliance programmes for clients across several different industries. Laurencik is also completing a PECB certfied GDPR DPO certification.
– Receive the Retailing Africa newsletter every Wednesday • Subscribe here.