What is the POPI Act?

Personal Information Application Identity Private Concept

A new Act has been put into law, fuelling intense debate in the country. The Act offers South African citizens additional protection when disclosing their personal information. By now, you may have already heard of the Protection of Personal Information Act, commonly known as POPIA or the POPI Act. This was introduced as South Africa’s data protection law which commenced on 1 July 2020, making companies and organisations comply by 30 June 2021. In terms of POPIA, there should be a balance between an organisation’s need to collect information from a person and protecting that individual’s right to privacy.

Why do we need the POPI Act?

If an organisation is responsible for collecting, retaining and destroying an individual’s personal information, they are likely to be processing personal data. The scope of POPIA is rather vast and it applies to almost everything you may do with an individual’s details, including details of your employees.
Furthermore, many of us use the internet for several reasons – online shopping, internet banking, social media, education, browsing, and so many others. The Protection of Personal Information Act was introduced to essentially safeguard people online from having their money or identity from being stolen as well as protect their overall privacy on the internet.

What does this mean for businesses?

An organisation is responsible for requesting and retaining personal data, then POPIA applies throughout the period that they are processing this data. Therefore, it is vital for the organisation to comply with POPIA from the moment it receives the records until it is either returned, deleted or destroyed. Data must be disposed of safely, without any harm or prejudice toward the individual concerned. TDW’s document shredding services allow for the safe disposal of confidential records which includes and is not limited to hard drives, credit cards and documents in any format.

Businesses should now review their data processes regularly to ensure that they are compliant with the POPI Act.

Who does this affect?

Government, large corporations and SMEs are mainly affected, as well as any juristic person who processes personal information.

What should one do in order to comply?

These are the following steps those responsible should take to comply:
1. Appoint an Information Officer.
2. Create a Privacy Policy.
3. Inform all employees of the new changes.
4. Amend existing contracts with those affected.
5. Perform a check and report any data breaches to the regulator and data subjects.
6. If you are a large corporation that has business abroad, check whether you can lawfully transfer personal information to other countries.
7. Only share personal information if you are lawfully able to and under no other circumstance.

If parties are non-compliant, what happens?

Where a responsible party is found to be non-compliant, the following penalties come into effect:
● A fine or imprisonment of between R1 million and R10 million or one to ten years in jail.
● Compensate financially if data subjects have been damaged in any way.
● Damage to the company’s reputation
● Loss of employees and clients
● Unable to attract new business

Despite these penalties, the ultimate goal of protecting people from harm and preventing data breaches should always be at top of mind.

Find out more about the POPI Act here