POPIA Act-GWM Chartered Accountants
The much-anticipated Protection of Personal Information Act 4 of 2013(POPIA) comes into effect on 1 July 2021, giving businesses until the end of this month to comply with the new legislation. Whether your business is listed as a corporate or sole proprietor, the legislation is binding, if you are processing personal data.
If you collect or hold information about an identifiable individual or if you use, disclose, retain or destroy that information, you are likely to be processing personal data. The scope of POPIA is very wide and it applies to almost everything you might do with an individual’s personal details including details of your employees.
You could face non-compliance penalties of up to R10 million or 10 years in jail, so it is very important to get your personal information records in order.
The good news is that there are a few steps you can take as a small business owner that’ll move you closer to POPIA compliance and significantly reduce the chances that you suffer a personal data breach.
The Information Officer must be registered with the Information Regulator on their electronic portal. If you haven’t appointed one in writing, the CEO of the company will automatically become one.
The general responsibilities of the Information Officer is:
Personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable existing juristic person, including, but not limited to:
3. Evaluate all service agreements relating to data processing and update your contracts accordingly
Any third parties (”operators”) who hold or process any personal information for you, must act with your authority, treat the information as confidential, and have in place all the necessary security measures.
To comply with the Act, businesses must implement proper systems for getting individuals' consent and for deleting or destroying personal information once it's no longer required. They should add disclaimers to physical and digital forms where applicable, and update their terms and conditions to communicate what information they possess and how it will be used, stored and, if applicable, shared.
In your framework you must:
Training of all relevant staff should be conducted continuously to ensure that staff are trained to understand the impact of POPIA on their particular area of focus within the organisation
Brainstorm with your team all possible vulnerabilities for loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information and patch them.
Any actual or suspected breaches (called “security compromises” in POPIA) must be reported “as soon as reasonably possible” to both the Information Regulator and the data subject/s involved.
Direct Marketing includes any approach to a data subject to promote or offer to supply, in the ordinary course of the business, any goods or services. You can only market similar products to current customers, and potential new customers can only be marketed to with their consent.
POPIA establishes the rights and duties that are designed to safeguard personal data. In terms of POPIA, the legitimate needs of organisations to collect and use personal data for business and other purposes are balanced against the right of individuals to have their right of privacy, in the form of their personal details, respected. Most responsible businesses will already comply with POPIA in their normal course of business, it is just important that they now document that they have considered the POPIA requirements.