The Protection of Personal Information Act 4 of 2013 (“POPI“) was signed into law in November 2013. The provisions of the Act came into effect on 1 July 2020 with the grace period ending on 1 July 2021. Organisations must ensure that they comply with the POPI Act as the Information Regulator will start enforcing the POPI Act when the grace period ends.
The purpose of POPI is to ensure that all South African institutions act responsibly when collecting, processing, storing and sharing another entity’s personal information. The POPI legislation confers upon data subjects rights of protection and the ability to exercise control over:
when and how they choose to share your information (requires your consent)
the type and extent of information they choose to share (must be collected for valid reasons)
transparency and accountability on how their data will be used (limited to the purpose) and notification if/when the data is compromised
providing them with access to your own information as well as the right to have their data removed and/or destroyed should they so wish
who has access to their information, i.e. there must be adequate measures and controls in place to track access and prevent nauthorised people, even within the same company, from accessing your information
how and where their information is stored (there must be adequate measures and controls in place to safeguard your information to protect it from theft, or being compromised)
the integrity and continued accuracy of your information (i.e. your information must be captured correctly and once collected, the institution is responsible to maintain it)
It is important to note though that this right to protection of “personal information” is not just applicable to natural persons but any legal entity, including companies. While consumers now have more rights and protection, organisations are considered “responsible parties” and have the same obligation to protect other parties’ personal information. As a company this would include protecting information about your employees, suppliers, vendors, service providers, business partners, private and public (government) bodies, sole proprietors, traders and juristic persons.
An operator as defined in the Act means a person who processes personal information for a responsible party in terms of a contractor mandate, without coming under the direct authority of that party. Operators would include all service providers, suppliers and vendors, e.g.IT, internet and network providers, accounting and auditing services, banks, payroll administrators, courier/messenger services, and archiving companies.
The circumstances where POPI will not apply include the following:
Processing of personal information not entered on a record;
Where information collected is de-identified or encrypted;
The protection of national security;
The prosecution of offenders;
Where the public body is the cabinet or court
In certain circumstances, journalistic or artistic pursuits
It is clear that there are rare instances where POPI will not apply and it is the interests of organisations to comply: the advantages include the building of trust with employees, suppliers and clients rather than risking reputational harm or worse. In addition, the maximum penalties for non – compliance range from fines not exceeding R 10 million to 10 years’ imprisonment. There is also the risk of being subject to investigation and potentially being stripped of trading licences.
Ultimately, POPI could be very beneficial for South Africa, despite the expected costs of securing personal information. The costs should be seen as an investment for South Africa organisations to improve their worth to international investors. If POPI is recognised overseas and is seen in the same light as GDPR, then the chances are there will be a spin – off for local businesses.
The increasing sophistication of cyber-attacks means that organisations should assume they have already been breached, and take a proactive, multi-layered approach to mitigating risk.
Most important to bear in mind is that responsibility can be delegated, but not accountability.
What is POPICheck?
It is a cloud-based rapid assessment tool that helps organisations gauge their readiness for compliance with the POPIA Act.
Login to POPICheck
Browse to https://app.popicheck.com and login with the credentials you received in email. You will be prompted to reset your password
Add Users; Business Units; Regions
Click the “Get Started” button and setup your users, business units and regions.
Click the “Create a New Assessment” button to open the new assessment form, give it a name and a business unit and click "Save"
Click on "My Assessments" in the left navigation panel, find the newly created assessment, and click to open it. Choose a category panel and "View
Checklist” to start answering questions.
Review Corrective Actions
After saving an assessment, the app will present you with a set of "Corrective Actions" each with links to relevant document templates.
Download and complete suggested template
Once you have downloaded a specific template, you can open it, review the requirements and complete and sign it.
Upload to Evidence
After completing a template, navigate to the "Upload Evidence" page to upload it into evidence. This is where your completed evidence is securely stored.
Generate Compliance Manual
You can generate a personalized POPI compliance manual button by clicking the “Generate Compliance Manual” button on the Upload Evidence page.
Clicking the report icon will generate a real time report and snapshot of the current status of an assessment. You can also download the report for distribution.
Baseline your Score
You can return to a partially completed assessment and update your answers. This will generate a new score and a refined list of corrective actions.
I want a product demo