The commencement of certain sections of the Protection of Personal Information Act, 2013 (POPIA or POPI Act) took effect on 1 July 2020. A grace period of 12 months from this date was given to comply with the Act – therefore all entities must be fully compliant with the provisions of the POPI Act by 1 July 2021.
Let us assist you with ensuring POPI compliance
We believe that focussing on three areas, namely POPI Training,Implementation and Monitoring will make your POPI compliance journey hassle-free and save you time, all while ensuring that your business is POPI compliant.
Whether you need help in guiding your staff through the process of understanding the POPI Act and the impact it will have on various processes and people in your business, or need support and guidance in the steps you need to take, or policies and processes you need to implement to become and remain POPI complaint, we can assist.
Contact us today to find out how we can help you become POPI compliant.
Have you registered your Information Officer with the Information Regulator?
Your Information Officer is the person in your business that will ensure that your business is POPI compliant.
One of the first steps is to appoint and register your Information Officer with the Information Regulator. POPI designates the head of the business as the Information Officer. Depending on the type of business, the Information Officer will therefore be the sole proprietor, a partner in a partnership or CEO (or equivalent) in a company or CC. While the head of the business can delegate his/her responsibilities to any other duly authorised person, the responsibility for ensuring that the processing is done in a lawful manner will remain with the individual that ‘determines the purpose of and means for processing of personal information.’
Section 55(2) of POPIA requires that Information Officers must be registered with the Information Regulator before they can take up their duties in terms of POPIA and the Promotion of Access to Information Act (PAIA). Registration is therefore a prerequisite for Information Officers to perform their duties.
If you are the registered Information Officer in your business, here are some questions to determine whether you are fulfilling your duties:
- Do you encourage and ensure compliance in the organisation with the conditions for the lawful processing of personal information?
- Do you deal with requests made to the organisation in accordance with POPIA?
- Are you aware that you must work with the Information Regulator in relation to investigations conducted regarding Chapter 6 of POPIA which deals with “prior authorisation”?
- Have you or are you in the process of ensuring that a compliance framework is developed, implemented, monitored and maintained in your business?
- Have you conducted a personal information impact assessment that ensures that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information?
- Have you developed a PAIA Manual that is readily available and implemented a plan to monitor and maintain the Manual?
- Have you developed internal measures, together with adequate systems, to process requests for access to information?
- Have you arranged internal awareness sessions regarding the provisions of the POPI Act, regulations, codes of conduct, or information obtained from the Regulator?
- Are you prepared to provide a copy of the PAIA Manual to a person who requests it, upon payment of the prescribed fee?
If you have answered ‘No’ to any of the questions above, you may need assistance with POPI compliance in your business.
Contact us to find out how we can help you fulfil your responsibilities as Information Officer.
More about the POPI Act (‘POPIA’)
What is the POPI Act (‘POPIA’)?
The POPI Act is a comprehensive privacy law that is mandatory for all businesses within the private and public sector that process personal information in South Africa. It seeks to protect and regulate the processing of personal information, falling into the broader Constitutional right to privacy.
The POPI Act requires businesses to regulate how information is organised, stored, secured, and discarded. This ensures that the business can maintain the integrity and confidentiality of its clients’ and employees’ personal information by preventing loss, damage, and unauthorised access to the personal data. The Act therefore guarantees that personal information will be used in a responsible and ethical manner by businesses from the time it is collected until the time it is destroyed.
The commencement of certain sections of the POPI Act, which took effect on 1 July 2020, deals with, among other things:
- the purpose of the Act,
- the application and exclusion provisions,
- the lawful processing of personal information and exemptions thereof,
- sections relating to the Information Officer,
- prior authorisation,
- codes of conduct issued by the Information Regulator,
- provisions regulating direct marketing by means of unsolicited electronic communications,
- enforcement, complaints, offences, and penalties
Read more about the commencement of the POPI Act
The impact of the POPI Act on your business
It is critical that businesses establish and implement appropriate and reasonable technical and organisational security measures, and POPI related policies and procedures to maintain the confidentiality and integrity of personal information. However, these policies, procedures and measures will differ from business to business. Therefore, one of the first steps in understanding how the POPI Act impacts your business is to assess and identify the gaps your business may have in complying with the requirements of the Act.
You may also find it useful to create a POPI compliance project timeline and plan your implementation according to your project timeline. For more factors to consider when assessing the impact of POPI on your business and getting started with POPI compliance, click here.
Contact us for assistance with a detailed POPI GAP analysis, checklist and templates that will guide your steps, policies and processes to become POPI compliant.
Consequences of non-compliance with the POPI Act
It is important for businesses to protect their client and employee’s personal information entrusted to them. Non-compliance with the requirements of the POPI Act may lead to the Regulator imposing an administrative fine or even imprisonment. Your business also runs the risk of damaging client relationships and overall business reputation, should you act recklessly with personal information. It is therefore recommended to act as soon as possible to become POPI compliant to avoid penalties in the future.
Contact us if you need assistance with POPI compliance for your business.
Find out how we can assist you with POPI Training, Implementation and Monitoring