Share This Article
By now most businesspeople would have heard of the Protection of Personal Information Act, or, better known as the POPIA. The purpose of the Act is to simply protect people personal information and, in this way, prevent them from suffering harm as a result of the unlawful dissemination of use of their otherwise private information. The POPIA sets out the method in which personal information can be acquired and used.
Although it has caused a great deal of concern, and despite some of the Act coming into effect, the Commencement date of the Act has faced significant delay. Indeed, since gracing Parliaments floors in 2013 the European Union’s General Data Protection Regulations (GDPR) were passed and are now fully applicable. Many local businesses must already ensure that they are compliant with the GDPR, which is very similar to the POPIA.
Complicating factors are that the POPIA makes references to other Acts, most notably the Electronic Communication and Transaction Act (ECTA). Further, although the POPIA deals with the privacy of people information, companies are still required to remain in compliance with the Promotion of Access to Information Act (PAIA), which has the potential for a degree of contradiction.
The POPIA, in summary, simply provides for a set of laws and regulations which govern the method in which people personal information can be acquired and processed. As a result, infringement of these basic standards attracts various penalties, which can be as serious as jail time. The penalties are severe, between 1 Million and 10 Million Rand or between one- and ten-years imprisonment. The Act also provides for monetary payments in lieu of damages to data subjects.
Practically speaking businesses are affected in the manner in which they manage information, and, in this instance, their customers personal information as defined in the Act. At the most basic level businesses must classify the data they hold to determine whether it consulted personal information, being information, which identifies a person. At the most complex businesses practicing direct marketing are required to obtain consent from those people to which it markets. Further, in the event of a data breach the business must be able to notify all those people effected.
The concern of some people is that the Act may be result in a significant barrier to entry for smaller or start-up organizations. Although it will certainly require homework for the intrepid entrepreneur, as long as they have some type of safety measure in place, compliance should not be a concern. Most smaller businesses do not wantonly share sensitive private information, and if they are, they should stop.
The more difficult aspects are the appointment of an information officer and the drawing up of a privacy policy which will be a challenge for most smaller businesses. A possibility exists that some types of SMME’s will be declared exempt from the compliance with he more onerous (expensive) aspects of compliance, lest this becomes one more barrier to entry.
The Act will only become enforceable once the Information Regulator (an institution to be created through the POPIA) has been declared operational and from that date we will have 12 months within which to comply. This means that businesses still have time to read the Act, understand he regulations and begin the process of ensuring that your business is acting in compliance with the Act.
If any of this seems daunting, be sure to contact a trusted legal advisor to assist you in the process of becoming compliant.