Protection of Personal Information Act (POPIA)
The enforcement of the Protection of Personal Information Act (herein after referred to as POPIA) commences on 1 July 2021 and all businesses who obtain, process and store personal information need to comply with the conditions for lawful processing of such personal information.
The purpose of the POPIA is to give effect to the constitutional right to privacy by safeguarding personal information and regulate the manner in which personal information may be processed. Furthermore, it provides persons with the right to protect their personal information and establish measures to ensure respect for and to promote and enforce the rights as protected by the Act. Data subjects will, under the Act, have the right to request from a responsible party access to their personal information, may place a request to change their personal information or object to the continued processing of their personal information.
So as a business owner, how do I know if I need to comply? All public or private entities that determine the purpose and means for processing personal information, enters it into a record and are domiciled in the Republic or not domiciled in the Republic, but process personal information within the Republic has to comply with the Act. The Information Regulator has been established, who acts as an independent statutory body with the purpose of monitoring and enforcing compliance and conducting investigations relating to POPIA.
The Act establishes eight conditions for the lawful processing of personal information, one of which as an example emphasizes consent as a legal requirement prior to processing personal information with certain exceptions. The onus will be on the responsible party to prove that their processing complies with these eight conditions. From the eight conditions it is important to emphasise the importance of effective security measures aimed at safeguarding the personal information under the responsible party’s control to prevent any security breaches. This includes ensuring there is no loss or unauthorized access of personal information. Furthermore, the Act extends to aspects such as direct marketing, setting certain conditions for the lawful marketing to data subjects. It also includes sections relating to the processing of special personal information and information relating to children.
The bottom line is that POPIA promotes the right to privacy of data subjects and holds the responsible party accountable and responsible for the safekeeping and responsible processing of personal information. Although the actual implementation of the POPIA may be a tedious and time consuming process it, at the same time, can positively contribute towards the responsible party’s reputation amongst customers, allow it to manage the information it holds and ultimately improve and innovate business processes.
The POPIA came into effect on 1 July 2020, with enforcement of the Act commencing on 1 July 2021. The Act provides for stringent fines and/or imprisonment for non-compliance with the Act and moreover severe reputational damage for failing to ensure the protection of personal information under its control. It is therefore critical that business owners ensure they have the necessary measures in place to safeguard and promote the responsible collection, processing, and storage of personal information.