The purpose of POPI is to ensure that all South African institutions act responsibly when collecting, processing, storing and sharing another entity’s personal information. The POPI legislation confers upon data subjects rights of protection and the ability to exercise control over:
- when and how they choose to share your information (requires your consent)
- the type and extent of information they choose to share (must be collected for valid reasons)
- transparency and accountability on how their data will be used (limited to the purpose) and notification if/when the data is compromised
- providing them with access to your own information as well as the right to have their data removed and/or destroyed should they so wish
- who has access to their information, i.e. there must be adequate measures and controls in place to track access and prevent nauthorised people, even within the same company, from accessing your information
- how and where their information is stored (there must be adequate measures and controls in place to safeguard your information to protect it from theft, or being compromised)
- the integrity and continued accuracy of your information (i.e. your information must be captured correctly and once collected, the institution is responsible to maintain it)
It is important to note though that this right to protection of “personal information” is not just applicable to natural persons but any legal entity, including companies. While consumers now have more rights and protection, organisations are considered “responsible parties” and have the same obligation to protect other parties’ personal information. As a company this would include protecting information about your employees, suppliers, vendors, service providers, business partners, private and public (government) bodies, sole proprietors, traders and juristic persons.
An operator as defined in the Act means a person who processes personal information for a responsible party in terms of a contractor mandate, without coming under the direct authority of that party. Operators would include all service providers, suppliers and vendors, e.g.IT, internet and network providers, accounting and auditing services, banks, payroll administrators, courier/messenger services, and archiving companies.
The circumstances where POPI will not apply include the following:
- Processing of personal information not entered on a record;
- Where information collected is de-identified or encrypted;
- Household activities;
- The protection of national security;
- The prosecution of offenders;
- Where the public body is the cabinet or court
- In certain circumstances, journalistic or artistic pursuits
It is clear that there are rare instances where POPI will not apply and it is the interests of organisations to comply: the advantages include the building of trust with employees, suppliers and clients rather than risking reputational harm or worse. In addition, the maximum penalties for non – compliance range from fines not exceeding R 10 million to 10 years’ imprisonment. There is also the risk of being subject to investigation and potentially being stripped of trading licences.
Ultimately, POPI could be very beneficial for South Africa, despite the expected costs of securing personal information. The costs should be seen as an investment for South Africa organisations to improve their worth to international investors. If POPI is recognised overseas and is seen in the same light as GDPR, then the chances are there will be a spin – off for local businesses.
The increasing sophistication of cyber-attacks means that organisations should assume they have already been breached, and take a proactive, multi-layered approach to mitigating risk.
Most important to bear in mind is that responsibility can be delegated, but not accountability.