The Protection of Personal Information Act, more commonly known as POPI, has become a massive talking point for businesses and organisations in South Africa. There is a lot to do to ensure that you are compliant before the 1 July 2021 deadline put in place by the SA lawmakers.
In order to wrap our heads around the Act and all that it entails, we started by taking a closer look at the 8 conditions that are set out in the Act:
- Accountability
Under the very first condition, the Act states that your organisation is responsible for ensuring that all of the other conditions are met. It’s essential that you appoint a person or a team in the company or organisation who will take on this responsibility.
- Processing limitation
The Act has placed very strict limitations on what data may be collected and processed. One of the main points to focus on here is that personal information may only be collected directly from the subject and not from a third party. There are a few exceptions to this rule, for example, when the information is already in the public domain for a public figure.
- Purpose specific
The next condition revolves around why your organisation would want to collect and process personal information. You need to have specific reasons that are considered lawful under the POPI Act. It is also your duty to explicitly define these reasons in a place where the public can scrutinise them – a privacy policy on your website is the best place for this.
- Further processing limitation
In condition 4, the Act looks at how personal information may be collected and processed. Once you have defined what information you are collecting and processing, as well as why you are doing so, you must then ensure that you are following those definitions at all times.
- Information quality
It is also important to ensure that the information you have collected is accurate. If you are going to be contacting people, then you need to know that you are contacting them directly and not accidentally contacting someone who has not given you consent.
- Openness
This relates to having a papertrail that you can show anyone who asks what information you have and how it has been processed. If the person in question asks for their details or if the authorities want to check that you are compliant, you need to be able to provide documentation immediately.
- Security safeguards
Any personal information that you have captured and are storing must be kept securely. It is your responsibility to ensure that no one who shouldn’t do so gains access to the data, and that the data is not lost or damaged. In order to be compliant with the POPI Act, you need to perform risk assessments on your security measures and regular maintenance to ensure you stay up to date with potential threats.
- Data subject participation
The data subject is the person who has allowed you to collect their information and any data subject has the right, under the Act, to access their information. They can request changes be made to the data at any point, or that you delete their data. Any requests must be dealt with within a reasonable timeframe. Exact details on a reasonable timeframe have not been given in the legislation, but the general consensus is that you should take action as quickly as possible.
Get your company compliant with the POPI Act
At Netgen, we are working to ensure that all of the custom software that we develop is compliant for our South African clients. We are also ensuring that our business processes are fully compliant. If you require assistance with your business, come and talk to our software experts to get the help you need.