What is the Protection of Personal Information Act?
What should my company be doing to comply with the Protection of Personal Information Act?
In recent news the President has proclaimed sections of the Protection of Personal Information Act (hereafter referred to as the POPI Act) into law. Sections of the POPI Act came into effect on June 30 and July 1 respectively. Now that an Information Regulator has been established it has paved the way for other sections of the Act to come into effect and all organizations need to comply with the new implemented regulations. What is the POPI Act? The POPI Act regulates all organizations that process personal information. This includes information about customers, employees, companies that engage in direct marketing and suppliers to name a few. Personal information is defined in the Act as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.” This means information such as someone’s race, gender and sex to their personal opinions, views or preferences up to the biometric information and history of a person such as their criminal or employment history and their physical address or identity number.
It is important for businesses to protect their client and employee’s personal information. Your business runs the risk of damaging client relationships and the overall reputation of your business, should you act recklessly with personal information. Companies are expected to ensure that all personal data is protected by adequate software and the destruction of any personal data is to be done in the appropriate manner. Non-compliance with the requirements of the POPI Act may lead to the Regulator imposing an administrative fine or even imprisonment. The powers afforded to the Information Regulator of South Africa may see non-compliant entities face censure if they fail to adhere to the new measures put in place to protect private information. It is therefore recommended to act as soon as possible to become POPI compliant to avoid penalties in the future. What can I do to comply? The needs of each company may differ. Smaller businesses might not need certain measures that larger corporations need. With that being said here are 3 things you could do: A POPI Compliance Audit By conducting this audit, you should aim to locate potential privacy risks/breaches within your current system and plan to remedy these breaches. Prioritize High-Risk Processes Focus on these first, such as customer/client data then move toward employee data etc... Host a Privacy & POPI Act Awareness Campaign Employees need to be made aware of and get trained in the security requirements of the organization as well as learn about the basic POPI Act privacy principles and how to apply these at work. This is one of the most effective means for reducing possible prospects of costly errors in handling sensitive information and protecting company information systems.
It is important to note that all organizations who process personal information have a year from the 1st of July 2020, thus until the 1st of July 2021, to ensure that they are compliant with the new regulations that have come into effect in terms of the protection of personal information. Therefore, companies must not underestimate the timeline of one year as there is a lot to do in order to become compliant with the above-mentioned regulations.
The information published on this website is provided for general purposes only and does not constitute legal advice. Please consult a lawyer on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages.