The countdown to compliance has officially begun! All businesses that process personal information need to comply with the Protection of Personal Information Act (POPIA) 4 of 2013 by 1 July 2021. Businesses need to comply with the Act’s eight conditions for lawful processing and we’re here to make sure you’re compliant before the deadline hits.
What is the POPI Act?
The Protection of Personal Information Act 4 of 2013 (“the Act”) came to fruition on the 1st of July 2020, and serves the purpose of giving effect to the constitutional right to privacy by ensuring information is processed in a responsible manner so as to prevent security breaches, theft and discrimination. It is important to note that the Act does not impose an obligation of obtaining consent from data subjects before processing their data, but rather creates conditions for the lawful processing of personal information of South Africans.
What does “lawful processing” mean?
The definition of “processing” is important because the POPI Act introduces a number of conditions for lawful processing. The definition of processing in the POPI Act covers just about everything that one could dream of doing with personal information.
Section 1 of the POPI Act defines “processing” as “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including…”.
This introduction is then followed by a list of a number of operations and activities. These operations and activities are: “collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use”; “dissemination by means of transmission, distribution or making available in any other form”; “merging, linking, as well as restriction, degradation, erasure or destruction of information.”.
What are the 8 conditions for lawful processing of information?
- Accountability – the responsible party must ensure that all the conditions are met prior to processing data.
- Processing limitation – this provides strict controls on what it means to lawfully process data.
- Purpose specification – you must collect information for a specific person and the data subject must be aware of this purpose. Further, once you no longer need the information for processing purposes you must delete or destroy them unless required by law.
- Further processing limitation – this explains how you can or cannot process data. You may only process data for the purpose it was collected.
- Information quality – requires that you take all necessary steps to ensure the data you collect and process is accurate and complete.
- Openness – This refers to the Promotion of Access to Information Act 2 of 2000. It is your duty to maintain strict documentation of all the processing activities you undertake.
- Security safeguards – The responsible party must employ appropriate, reasonable technical and organisational measures designed to prevent both unlawful access and the loss or damage of the personal information.
- Data subject participation – stipulates the rights of the data subject.
Failure to comply with the Act is an offense and may attract a fine of up to R10 million and / or imprisonment of up to 10 years.
What steps will you have to take to comply?
Responsible parties will have to:
- Appoint an Information Officer.
- Complete an Impact Assessment.
- Amend contracts with operators.
- Report data breaches to the regulator and data subjects.
- Check that they can lawfully transfer personal information to other countries.
We encourage you to take your next step towards POPI compliance. Contact our team at Gunston Strandvik to undertake a Privacy Impact Assessment.
Some next steps to consider:
- General Training : Information Session on the POPI Act
- Draft Compliance Framework
- Impact Assessment Questionnaire
- Training with managers on the framework and questionnaire
- Reviewing findings and providing recommendations and remedial action
Email firstname.lastname@example.org or call 021 702 7763 to request a quote for any of the above.