WHEN WILL POPIA COME INTO EFFECT?

The POPI Act was signed into law by the President in November 2013 and published in the Government Gazette.
The President has signed a proclamation declaring that some parts of the Protection of Personal Information Act are already effective.
Once the remainder of the Act come into effect, companies will be given at least a years grace period to comply with the Act.
The Information Regulator was appointed in December 2016 and has prepared and published draft Regulations that will be finalised in due course.

It is information relating to an
identifiable, living, natural person, and
where it is applicable, an identifiable,
existing juristic persons.




WHAT IS
PERSONAL
INFORMATION?

It is any operation or activity or any
set of operations, whether or not
by automatic means, including:

  • Collection, Organising,
    Updating, Storing
  • Dissemination
  • Modification & Destruction




WHAT IS
PROCESSING?


WHAT IS THE DIFFERENCE BETWEEN A
RESPONSIBLE PARTY AND AN OPERATOR?

A RESPONSIBLE PARTY is the party who determines the purpose of and means for processing personal information.
This decision may be made alone or in conjunction with another party.

AN OPERATOR is a person who processes personal information for a responsible party in terms of a contract or mandate,
but does not come under the direct authority or control of the responsible party, typically a service provider.

As set out above, responsible parties determine the purpose for processing information, what information is processed, for how long and how it is processed. Where an operator is involved, the responsible party will still determine the purpose for processing etc, but will outsource the processing of the information to the operator. The responsible party therefore still makes all decisions in relation to the information and the operator acts in accordance with these decisions and on the instructions from the responsible party.

The responsible party remains ultimately accountable for ensuring that POPIA is complied with by both itself and all operators providing services to the responsible party. The outsourcing or sub-contracting of any processing activities to operators does not absolve the responsible party from liability towards the person whose information is being processed. If the operator contravenes POPIA, the responsible party may still be held liable by the Information Regulator.

THE 8 INFORMATION PROCESSING PRINCIPLES: THE CORE OF POPIA

ACCOUNTABILITY

The responsible party has a duty to ensure that
the POPIA information processing conditions
arecomplied with at the time of determining
the purpose and means of processing as well
as during the actual processing.





ACCOUNTABILITY



PROCESSING LIMITATION

Processing, including collection must be lawful
and in accordance with POPI requirements.
personal information may only be processed
in a way that is adequate, relevant and not
excessive - considering purpose of processing.





PROCESSING LIMITATION


PURPOSE SPECIFIC

A responsible party must collect personal
information for a specified purpose and must
communicate the purpose to the person
whose information is collected. It may only
be retained for as long as necessary,
considering the purpose.





PURPOSE SPECIFIC


FURTHER PROCESSING
LIMITATIONS

All use of personal information after collection,
must be compatible with the purpose
for which it was originally collected.





FURTHER PROCESSING
LIMITATIONS

INFORMATION QUALITY

The responsible party has a duty to take
reasonable steps to keep information
records updated.





PROCESSING LIMITATION


OPENNESS

A data subject must know for which purposes
personal information is being collected and
used. Certain prescribed information must
be provided to the data subject.





OPENNESS


SECURITY SAFEGUARDS

The responsible party must secure the integrity
of personal information in its possession or
under its control by taking prescribed measures
to prevent loss of, damage to or unauthorised
destruction of personal information and
unlawful access to or processing of
personal information.





SECURITY SAFEGUARDS



DATA SUBJECT PARTICIPATION

A data subject has the right to request a
responsible party to confirm, free of charge,
whether or not the responsible party holds
personal information about the data subject
and request from a responsible party the record
or a description of the personal information held,
including information about the identity of all
third parties, or categories of third parties, who
have, or have had, access to the information.





DATA SUBJECT PARTICIPATION


WHAT ARE THE KEY OBLIGATIONS OF A COMPANY UNDER POPIA?

ACCESS
A data subject must be given access to their information if requested.
SECURITY
Ensure measures are put in place to keep the data secure.
PURPOSE
Only use the data for the purpose it was collected for.
RETENTION
Only store the data for the time required, considering the purpose for which it was collected.
LAWFUL USE
Ensure measures are put in place to keep the data secure.
ACCURACY
Ensure you keep up-to-date.

WHO IS THE INFORMATION REGULATOR AND WHAT ARE ITS POWERS?

The Information Regulator is a juristic body that has been appointed and has wide ranging powers and duties that include:

Educate the public about POPIA

Monitor & enforce compliance

Handle complaints about violations

WHAT SHOULD YOU DO NOW?
Keep yourself up to date on your POPIA rights and obligations. Review and update company policies to include information to ensure POPIA compliance.

WE’VE HEARD A LOT ABOUT ‘OPT-IN’ WHAT DOES THIS MEAN?

  • Section 69 defines electronic direct marketing to include SMS and E-Mail marketing.

  • For non-customers, you need consent to do electronic direct marketing, you have one chance to get consent.

  • This means you have the option to call each data subject (contact) once, to ask for consent. You may only call data subjects who have not already opted out.

  • You need to be transparent in your request for consent.

  • If you obtained personal information directly from your existing customers, a reasonable opportunity needs to be given to them to allow them to opt out should they wish to.

  • You need to have a system in place whereby Opt In and Opt Outs are recorded..
DON’T HAVE CONSENT?
Simply put, you need consent to do electronic direct marketing to non-customers.