Charl Cilliers, Practicing attorney and director at Cilliers Law Inc
Deadline for implementation
South African entities, both private and public, must comply with the Protection of Personal Information Act 4 of 2013 (“POPIA”) by 30 June 2021.
The Information Regulator, the regulatory authority for POPIA, has recently confirmed that this deadline will not be extended. It goes without saying that this leaves less than 6 months for full compliance.
PURPOSE AND SCOPE OF POPIA
The main purpose of POPIA is to protect the personal information of data subjects whilst balancing their rights to privacy against other rights, such as the right of access to information.
POPIA applies to virtually all South African businesses, regardless of their legal structure. There are some exclusions, which will most probably not apply to the businesses of readers. The financial services industry in particular will be severely affected as a consequence of the level of personal information that it processes.
Penalties for non-compliance are harsh. In terms of Section 107 of POPIA, any person who is convicted of an offence is liable to pay a fine, or to imprisonment, or both. Depending on which sections have been contravened, the duration of imprisonment can be up to 12 months or 10 years respectively. In terms of Section 109, a fine of up to R10 million may be payable.
It would thus be wise for those who have not yet started with a POPIA compliance project to start as soon as possible in order to meet the looming deadline. For readers who have not yet started preparing, here are some ideas to consider as a starting point.
IMPACT ASSESSMENT AND GAP ANALYSIS
A good first step would be to do an impact assessment and GAP analysis to understand exactly what the impact of POPIA is on your specific business. This will be determined, among others, by the size of your business, the extent to which it processes personal information, and the data protection controls already in place.
LEGAL CONSIDERATIONS
Ensure that data protection and other policies are in place, such as a record retention policy, a clean desk policy, an incident response policy in the event of a data breach, and a bring your own device policy.
INFORMATION TECHNOLOGY
It is important to attempt to prevent any form of data breach and the possibility of reputational risk as a result thereof. Encryption will protect personal information from interception. Examples of available tools are Bitlocker to encrypt data storage devices, or SSL certificates to encrypt data message channels.
SALES AND MARKETING
Section 69 of POPIA deals with direct marketing by means of unsolicited electronic communications, which includes automatic calling machines, facsimile machines (for those who still use them), e-mails and SMS’s.
The main purpose of POPIA is to protect the personal information of data subjects whilst balancing their rights to privacy against other rights, such as the right of access to information.
It is important to note that you can only use these forms of communication once, unless you have obtained specific consent from a lead or prospect. You are allowed to contact existing customers more than once, but only under certain circumstances.
HUMAN RESOURCES
Ensure that you have a secure exit procedure for employees that resign or are dismissed, including revoking access rights to any business information, and personal information of other employees, customers and prospects.
FINANCE
The protection of account numbers is a vitally important aspect of POPIA, as this is the type of personal information most targeted by hackers. POPIA punishes data breaches related to account numbers by a fine of up to R10 million or 10 years’ imprisonment.
IMPORTANT POPIA TERMS
• Processing: The different ways in which personal information is handled in both physical and electronic format.
• Personal Information: Any information that identifies a natural or juristic person, such as contact details, race, gender, bank accounts, medical history, employment, education and criminal history.
• Information Officer: The person responsible for ensuring that the responsible party complies with the conditions of lawful processing of personal information.
• Data Subject: The person to whom the personal information relates.
• Responsible Party: The person that processes personal information.
• Operator: The party that processes personal information for the responsible party.
This article is not comprehensive and does not constitute legal advice, as POPIA is a vast and complex field.
Readers should consult appropriate experts for advice.
www.cillierslaw.co.za
