Without any doubt, many South African businesses and consumers have heard all about the POPI Act and POPI Compliance, but very few individuals actually know what it really means and how it may affect their daily lives or standard business operating procedures.
Today we’ll unpack some of the basic fundamentals of the POPI Act. We’ll also learn about how you can ensure that your business follows essential POPI Compliance procedures to prevent data breaches and legal ramifications.
What is the POPI Act?
The Protection of Personal Information Act 4 of 2013 (“POPIA” or “the Act”) comes into effect on 1 July 2021. It effectively gives the constitutional right to privacy by ensuring information is processed in a responsible manner. This is to prevent data security breaches, theft, unlawful dissemination of personal information and discrimination.
The Act identifies all the parties involved during the exchange and dissemination of information. It also identifies various methods of processing personal information, and how to responsibly apply data processing.
Does the POPI Act apply to me or my business?
Although the majority of businesses operating within South Africa processes various forms of information, not everyone needs to comply with the Act. What you need to ask yourself is:
- Are you based in or domiciled or registered in South Africa?; and
- Do you process personal information in South Africa or have an operator processing information in South Africa?
If you answered yes to the above questions then you do, in fact, need to ensure compliance with the Act.
What are the expectations for POPI Compliance?
Section 6 and 7 of the Act lists the parties who are exempt from complying with the Act, these include:
- data processed for personal reasons
- data that is de-identified and cannot be reinstated
- data process by (or for) a public body relating to national security, law enforcement, or the justice system
- data processed by a province’s Cabinet and committees or Executive Council
- data processed for literary or artistic expression or for the purposes of journalism.
Additionally, POPI does not apply to:
- pure household or personal activities
- information that has been de-identified*
- *means to delete any information that—
(a) identifies the data subject;
(b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
(c) can be linked by a reasonably foreseeable method to other information that identifies the data subject,
and ‘‘de-identified’’ has a corresponding meaning;
- *means to delete any information that—
- information by or on behalf of a public body – national security, defence or public safety, or prevention, investigation or proof of offences, the prosecution or the execution of sentences
- processing for purely journalistic purposes if subject to a code of ethics that provide adequate safeguards for protection
Definitions of the role players
The POPI Act provides an outline of who the role players are for submitting, collecting and processing personal information.
A DATA SUBJECT
This is an identifiable person (living natural person / existing juristic person as far as applicable).
THE RESPONSIBLE PARTY
This means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. (This usually means you, the business collecting the information from the data subject / your customer)
THE OPERATOR
This is a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. (This could be any third party such as MailChimp, Everlytic, Twilio, Salesforce, Hubspot, etc)
THE REGULATOR
The Information Regulator established in terms of section 39. (In other words, the Department of Justice in South Africa)
What is considered “personal information”?
information relating to an identifiable person (living natural person/ existing juristic person as far as applicable). A perfect example would be information relating to:
- race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture and birth;
- education or medical, financial, criminal or employment history;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assigned to the person;
- biometric information;
- personal opinions, views or preferences;
- the views or opinions of another individual about the person;
- correspondence sent by the person that is implicitly or explicitly of a private/confidential nature;
- the name of the person if it appears with other personal information relating to the person, or if the disclosure of the name itself would reveal information about the person;
Lawful processing of information for POPIA compliance
The Act further prescribes 8 conditions for the lawful processing of information:
- Accountability – the responsible party must ensure that all the conditions are met prior to processing data.
- Processing limitation – this provides strict controls on what it means to lawfully process data.
- Purpose specification – you must collect information for a specific person and the data subject must be aware of this purpose. Further, once you no longer need the information for processing purposes you must delete or destroy them unless required by law.
- Further processing limitation – this explains how you can or cannot process data. You may only process data for the purpose it was collected.
- Information quality – requires that you take all necessary steps to ensure that the data you collect and process is accurate and complete.
- Openness – This refers to the Promotion of Access to Information Act 2 of 2000. It is your duty to maintain strict documentation of all the processing activities you undertake.
- Security safeguards – The responsible party must employ appropriate, reasonable technical and organisational measures designed to prevent both unlawful access and the loss or damage of the personal information.
- Data subject participation – stipulates the rights of the data subject.
The 8 steps to lawful data processing
1. ACCOUNTABILITY
Responsible parties must comply with these eight conditions.
2. PROCESSING LIMITATION
Personal information should only be obtained by limited and lawful processing that does not unnecessarily infringe upon privacy.
3. PURPOSE SPECIFICATION
The purpose for which personal information is collected must be specific, explicitly defined and lawful.
4. FURTHER PROCESSING LIMITATION
Further processing must be compatible with the purpose for which personal information is collected.
5. INFORMATION QUALITY
Reasonably practicable steps to ensure personal information is complete, accurate, not misleading and updated.
6. OPENNESS
Advise the data subject of certain mandatory information in respect of collection. (No forced/hidden opt-ins)
7. SECURITY SAFEGUARDS
The integrity and confidentiality of the personal information must be secured.
8. DATA SUBJECT PARTICIPATION
The data subject has certain access rights, including a right to request its deletion.
How does this affect my marketing?
There is no easy way to say this – yes, it will affect your business’ direct marketing in a big way if you haven’t taken any steps to POPIA compliance. Let’s talk about what direct marketing means as per the definitions outlined by the Act.
“Direct marketing” means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –
- promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
- requesting the data subject to make a donation of any kind for any reason.
“Electronic communication” means any text, voice, sound or image message sent over an electronic communications network that is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
Sorry call centres… this means YOU! Naturally, this does affect businesses whose sales are largely driven by cold-calling, email and SMS marketing. Without express, written permission from the user, they legally have the right to file a complaint against your business to the Information Regulator. So if you haven’t already prompted your existing customers/audience to verify the terms for which you can communicate with them, you may want to request this consent now – and give a reasonable opportunity to easily and for free.
Still not sure about POPIA compliance?
Look out for our next article coming out next week where we will take a further look at direct marketing requirements and tactics that are well within POPI compliance regulations. Additionally, we would be happy to assist you and your business in becoming POPIA compliant.
CONTACT US and we will arrange a consultation with you.