If your business is domiciled within South Africa and is one that requires the acquisition of any personal information from clients or customers, the short answer is – yes.
It is important to note that complying with the POPIA does not have a “one size fits all” solution.
Every time you buy a product online, go to a doctor, sign up to a newsletter, hire an attorney or enter into any kind of contract or service request, you are obliged to give over some of your personal information. Many times, while you’re online, your data is being tracked and processed by companies that you have never heard of.
The purposes at the core of the POPI Act are to regulate how organisations store, process and use our information, to empower us to gain more control over what is being done with our personal information, and to protect our information from abuse.
How does POPI affect the information my business collects:
POPI aims to protect personal information by restricting the ways in which information can be collected and limits the purposes that information may be used.
The Act sets out strict accountability, in that the Responsible Party (the party who establishes the purpose, manner, and processing of the collection of personal data) must ensure that all measures are being complied with within the organisation.
In addition, the Act sets out processing and purpose limitations. This means that the way a business processes personal data must be in a manner that does not infringe on a person’s privacy rights and that the business may only use the information for a purpose of which the person (data subject) is aware.
The holder of personal information must maintain openness to ensure that the person whose data is being collected, referred to in the Act as the “data subject,” is aware of exactly what information has been captured and what purpose it will be used for. The data subject must at all times have the right to request for their personal information to be deleted, amended, or corrected if it is found to be inaccurate, excessive, or obtained unlawfully.
The Act sets out clearly that the responsible party must secure all personal information under their control. If an organisation’s security safeguards fail, it must notify the data subject that its information has been compromised.
What are the consequences if my business fails to comply with the POPIA?
If a Responsible Party causes the breach of a data subject’s personal information, negligently or otherwise, an aggrieved party may lodge a complaint with the Information Regulator. The Information Regulator does not necessarily require a court order to issue a fine for non -compliance.
The Act sets out civil remedies available to an aggrieved party which include, payment for damages as compensation for losses suffered as a result of a breach, aggravated damages; interest; and costs on a scale as determined by the court.
Where criminal charges are brought against a Responsible Party and such party is convicted, the penalty is a harsh one. A maximum period of imprisonment of 10 years, or an undisclosed maximum fine. Additionally, the Information Regulator may institute administrative fines up to an amount of R10 million.
So, what should my next steps be?
The steps that need to be taken by an organisation to ensure compliance with the POPIA will vary from one to another. Now is an interesting time for every Information Officer across the country.
The first step for any business is to educate yourself as far as possible in terms of how your business is currently managing personal data and where possible vulnerabilities could be found.
Although there was a grace period of one year for compliance to be affected, 1 July 2021 has come and gone, and the sooner you can get the compliance ball rolling within your organisation, the better.
Now is the time to narrow down the purpose for your data collection, ensure that it is in line with what is envisaged in the Act, implement solid security measures for data protection, and make certain that your data subjects are aware of what is being done with their information and what rights they have pertaining to it.
Should you require assistance with POPIA compliance, please contact the EOHCB Information Officer at popi-io@eohcb.com