POPI Act: 5 practical guidelines

It is vital that employers understand their obligations and responsibilities regarding data protection and privacy in terms of the Protection of Personal Information (POPI) Act 4 of 2013.  Employers should take into account compliance requirements, essential policies, and best practices for handling personal information in accordance with the law.

Five practical guidelines for employers include:

1. Information Officer

Identify an “Information Officer” who will be responsible (and liable) for all compliance duties, working with the Regulator, establishing procedures, and training your team in awareness and compliance. A person will automatically be a business’s Information Officer if they are its “Head” i.e. a sole trader, any partner in a partnership, or in respect of a “juristic person” such as a company the CEO, Managing Director or “equivalent officer”. You, your partnership or your company can “duly authorise” another person in the business (management level or above) to act as Information Officer and you can designate one or more employees (again management level or above) as “Deputy Information Officers”. You will need to register both Information Officers and Deputy Information Officers with the Regulator.

2. Assess what personal information you hold, how you hold it, and why:

The Company and/or Information Officer(s) will need to determine what personal information you currently hold, how you hold it, and why you hold it. Importantly, the term “personal information” is defined very broadly to mean any information that can be used to identify an individual person or another business entity. To collect and “process” information lawfully you need to be able to show that you are acting lawfully and reasonably in a manner that doesn’t infringe the data subject’s privacy. You must further show that “given the purpose for which it is processed, it is adequate, relevant and not excessive”. Data can only be collected for a specific purpose related to your business activities and can only be retained for so long as you legitimately need to, or are allowed to, keep it.

3. Check security measures, know what to do about breaches:

The company and/or Information Officer(s) must ensure that appropriate security safeguards are in place, which must be continually updated to secure the integrity and confidentiality of personal information in its possession, or under their control, by taking appropriate, reasonable technical and organisational measures to prevent any loss of, or damage to or unauthorised destruction of personal information, and/or unlawful access to or processing of personal information. Any actual or suspected breaches (referred to as “security compromises” in the Act) must be reported to the Information Regulator and affected data subjects as soon as reasonably possible.

4. Check if you do any direct marketing:

The definition for direct marketing in the Act is broad and includes “any approach” to a data subject “for the direct or indirect purpose of in promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject, or even requesting them to make a donation of any kind and for any reason”. A simple e-mail or WhatsApp message to your customers about new products/special offers, will put you firmly into that definition. If your approach is by means of “any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail”, you must observe the provisions of POPI Act.

5. Get a start on procedures and training:

The company and/or Information officer(s) will need to determine how they obtain consent, collect, process, store data, and for how long, for what purpose/s and so on. You are much less likely to have a POPI Act problem if everyone in your business understands what your procedures are and implements them as a matter of course. Ensure that no responsibilities are left unassigned—assign specific compliance tasks to designated staff members and ensure clarity on who is responsible for each task.

Non-compliance

Chapter 11, section 107 of POPI Act, deals with the consequences if a business is found to be non-compliant.  For educational purposes contraventions can be categorised into serious offences and less serious offences. The penalty for a serious offence is a fine of up to R10 million, 10 years of imprisonment, or a combination of both a fine and imprisonment.  Similarly the penalty for a less serious offence is a fine of up to R1 million, one year of imprisonment, or a combination of both.

The content in this article is for informational purposes only and should not be construed as legal advice. Please contact the LWO for further information and a referral to our POPI Act service providers.

Contact the LWO for any advice or assistance!

Not an LWO member yet? Take a look at our membership packages.