The Protection of Personal Information Act is finally here — and this is what you need to know
The Protection of Personal Information (POPI) Act will finally be in force in full from July 1, having been passed by parliament seven years ago.
Still, businesses will have until the end of June next year to comply with it.
The act applies to all local and foreign organisations collecting, using or handling consumers’ personal information, including name, identity number, age and addresses.
“A year may seem like long time, but business leaders need to initiate the compliance process as soon as possible because, in many cases, compliance will require the implementation of fundamental changes to their organisations”, said Louella Tindale, data protection specialist at law firm Caveat Legal.
Her POPI Act to-do list for businesses includes:
- Identifying what personal information a business collects, from whom and where it is stored;
- Reworking communication tools in light of POPI’s direct marketing provisions;
- Considering consumers’ rights and how they will act on their right to withdraw consent; and
- Amending contracts to include POPI compliance clauses.
Regulated by the Information Regulator, the act will be the go-to piece of legislation for consumers when their personal information is abused, or companies don’t protect it sufficiently or demand personal information, such as their ID number, when it’s not necessary.
Last August, for example, a Twitter war broke out when a woman tweeted that a cellphone company employee who handled her contract renewal had taken her number from the company’s system and contacted her to ask her out.
Some shared her outrage at the abuse of her personal details, while others condemned her for over-reacting.
Verlie Oosthuizen, head of social media law at law firm Shepstone & Wylie, said at the time that the POPI Act would allow those in such situations to seek recourse via the Information Regulator.
Those who feel uncomfortable being forced to have their driver’s licence scanned and their car’s number plate photographed when entering residential or business complexes could also test the legitimacy of their concerns against the POPI Act with the Information Regulator.
“This is an invasion of privacy and a perfect recipe for either cloning my car or identity theft,” Paul Hamilton of Durban said.
SA Fraud Prevention Service executive director Manie van Schalkwyk agreed.
“I totally feel uncomfortable to provide any security company with that information as I am not sure what they are doing to keep secure.”
As SA went into Covid-19 lockdown, Doros Hadjizenonos, of IT security company Fortinet, said regulations such as the POPI Act were going to strain the ability of service providers to maintain required levels of privacy in the new work-from-home normal.
“While working from home has been gaining in popularity for several years, many organisations have hesitated to move to remote telework,” he said.
“But in the wake of the current public health crisis, many of these businesses have been forced to relent. It is critical that they do their part in securing customer data, employee operations, and business continuity as best as possible.”
For most organisations, complying with the POPI Act will require an analysis of all personal information within the organisation; where they got it from and what they do with it, said global law firm Herbert Smith Freehills on Monday.
“They will need to establish measures that ensure that they only collect, use, store, delete and otherwise handle personal information in permitted ways and that it is appropriately protected from unauthorised access or loss.”
The fines and penalties vary depending on the offence, with a maximum of 10 years in prison or a R10m fine.