POPI Compliance

The protection of personal information has become paramount all around the world. There has been an international trend followed by many countries to develop and establish legislation in order to sufficiently protect personal information.

South Africa has conformed to this trend and in November 2013 POPI was signed into law. However, only certain sections of POPI are currently in force. These sections relate to the establishment of the Information Regulator and the issuing of regulations.

Once the remaining provisions of POPI come into force, companies will have 12 months within which to become fully “POPI compliant”.

The purpose of POPI includes, inter alia:

  1. to safeguard the integrity of personal information;
  2. to conform with international trends;
  3. to ensure the implementation of policies which protect the personal information of data subjects that are held by companies and to hold companies accountable for the non-compliance with POPI.

Consequently, POPI affects most industries in South Africa. It is therefore essential that companies become well acquainted with what it means to be “POPI compliant”.

In order to become POPI compliant there are 8 minimum conditions that are required to be met by companies for the lawful processing of personal information. These 8 minimum conditions include:

  1. ACCOUNTABILITY: Companies must ensure that they comply with the other 7 conditions as set out below for the lawful processing of personal information. Protecting the integrity of personal information should not be delegated to persons who are unfit or untrained to adequately process it in accordance with POPI.
  1. PROCESSING LIMITATION: Personal information may only be processed if it is adequate, relevant and not excessive.
  1. PURPOSE SPECIFICATION: Personal information should be collected for a specific, explicitly defined and lawful purpose which relates to the activities of the company.
  1. FURTHER PROCESSING LIMITATION: The further processing of any personal information should be compatible with the purpose for which it was initially processed.
  1. INFORMATION QUALITY: Companies must take reasonably practical steps to ensure that the personal information is accurate, complete, not misleading and where necessary, updated.
  1. OPENNESS: Companies must ensure transparency and fairness in the processing of personal information.
  1. SECURITY SAFEGUARDS: Personal information in a company’s possession or under its control must be appropriately safeguarded against loss, destruction or unlawful access.
  1. DATA SUBJECT PARTICIPATION: A data subject has a right to request a company to disclose and confirm, free of charge, whether the company holds personal information in relation to him/her/it.

In order to maintain POPI compliance, a company should:

  1. Appoint an information officer or outsource the functions of the information officer;
  2. Develop and implement a POPI policy which assist data subjects to understand what personal information is being processed and why it is being processed;
  3. Train employees to become POPI compliant;
  4. Redraft contacts to include provisions to ensure POPI compliance.

Companies may face serious consequences if they do not comply with POPI, which include inter alia:

  1. Imprisonment of members of senior management, including directors, not exceeding 10 years;
  2. Legal risks, including legal action taken by data subjects;
  3. Reputational risks, including brand damage and loss of customer goodwill;
  4. Financial risks, including the imposition of penalties and administrative fines to the maximum amount of R10 million.

Companies and all other parties falling within the ambit of POPI should ensure that all staff members and parties that are tasked with the duty to process personal information comply with the provisions of POPI.

With the onset of POPI, companies no longer have a choice but to comply with its provisions and adequately protect personal information they process.

(Drafted by Carmen McKinlay assisted by Etienne Van der Merwe)