What is POPI?
POPI refers to South Africa’s Protection of Personal Information Act. This law regulates the “Processing” of “Personal Information”
“Personal Information” means information relating to an identifiable, living natural person or juristic person (sole proprietors, companies, CC’s etc.). This includes, but is not limited to:
- contact details: email, telephone, addresses etc.
- age, sex, race, birth date, ethnicity etc.
- history regarding medical, blood type, employment, financial, educational, criminal, biometric information
- private and business correspondence
“Processing” means what is done with the Personal Information collected, including, usage, storage, dissemination to 3rd parties, alteration or deletion (whether such processing is automated or not).
Personal information is an asset
For most businesses, personal information is an asset. Whether central to their services or only used for marketing, there is value to having quality personal information (which is a condition of lawful processing) and is secure (another condition of lawful processing). The loss of or damage to this asset results in loss of trust, reputation and can lead to loss of profit.
Some POPIA obligations are to:
- Collect only information required for a specific purpose
- Apply security measures to protect the information
- Only hold the information for as long as you need it
- Allow the subject of the information to see their data held upon request
When will I be affected by POPIA? Does POPI really apply to me?
Compliance with the Protection of Personal Information Act (POPIA), also known as the POPI Act, is mandatory for most organisations in South Africa. POPI makes it illegal to collect, use or store the personal information of consumers and businesses unless it is done in accordance with the laws and regulations prescribed in the Act.
The Act was signed into law in November 2013. The Information Regulator was setup in December 2016 and formalised in February 2017. We are now awaiting a commencement date for the regulations. The POPI Draft Regulations have been available for public comment and requirements have become clearer.
Accountability for compliance rests with the Responsible Party, meaning a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
Non-compliance could expose the Responsible Party to penalties or fines including imprisonment of up to 12 months. In certain cases, penalties for non-compliance can be a fine and / or imprisonment of up to 10 years.