THE EFFECT OF THE PROTECTION OF PERSONAL INFORMATION (POPI) ACT ON BUSINESSES
COMMERCIAL AND INTELLECTUAL PROPERTY DEPARTMENT
SACBW Gauteng invited Jana Doussy, a Senior Associate and Department Head of Intellectual Property at Stegmanns Incorporated. She was invited to talk to our members on the topic of the POPI Act. Jana is an Attorney of the High Court of South Africa with more than 7 years experience. She is also an Associate of the South African Institute of Intellectual Property Law (SAIIPL). Her expertise extends to all aspects of Intellectual Property and Commercial Law. She is also experienced in High Court and Magistrate Court practice and procedure. Here is what she had to say.
The purpose of the Protection of Personal Information Act is to bring South Africa in line with international standards of protection of personal information. The POPI Act will effectively change the way in which both government and business deal with individuals’ private information. The Act sets out mandatory regulations which every organization that processes persons’ information must adhere to in order to be compliant. As well as to avoid fines and even jail time in some cases.
Personal information has a wide meaning. This includes information which identifies and relates to living individuals (for example, gender and employment history). Also, existing corporates (for example, company contact details and correspondence of a confidential nature);
The individual or corporate that the personal information relates to is referred to as the “Data Subject”.
POPI protects personal information of Data Subjects by imposing minimum standards for its lawful processing.
The Data Subject must consent to the processing of personal information except in certain circumstances. The most common of these is where processing is necessary to conclude or perform a contract with the data subject.
POPI applies to all Natural Persons, Juristic Persons, Public and Private Bodies.
The Act came into effect on the first of July 2020. However, the Legislature granted businesses and organizations a grace period up until the 31st of December 2020 to become POPI compliant. Where after, penalties will be charged for non-compliance.
In terms of the Act, the person responsible for processing that information is accountable to ensure that the stipulations of the Act are followed.
The effect that compliance will have on your business is that you will have to compile a POPI compliance policy. This policy deals with the administration and processing of the personal information of your customers, prospective customers, suppliers and employees.
Furthermore you will need to train and appoint an information officer who will administer your POPI policies and conduct personal information impact assessments. It is also imperative that your employees are well informed of their responsibilities in terms of the POPI policy which you implement in your business.
THE IMPACT ON YOUR BUSINESS
The Act stipulates specific time periods for the retention of personal information which can be found in the schedules to the Act, these time periods are set out to allow persons the opportunity to access the their information, which is in your possession, and for other parties, who have the right to access such information, by operation of law, to do so. Processing of information must be done lawfully and in a manner that does not infringe the privacy of the individual.
Personal information can only be processed if the processing is adequate, relevant and not excessive, given the purpose for which it is to be used. Where the Responsible Party intends to use the information for any other purpose other than that, which the information was collected, the Responsible Party must first obtain permission from the Data Subject.
In simple terms, if you are in the business of selling computer hardware products and you collect a customers’ personal information for the purpose of delivering the products to the customer, according to POPI you can only use that information for the agreed upon purpose at the time which the information was collected. If at a later stage an opportunity presents itself where you would like to market new products which you have received, you are required, in terms of POPI to first contact the consumer and acquire permission to send them such marketing material.
Only the following exemptions apply when processing information:
- For personal and household reasons;
- If the subject cannot be identified or is de-identified;
- Public bodies involved in national security;
- For purposes of executing the judicial functions of the court;
- For journalistic, literary or artistic purposes
Contact: firstname.lastname@example.org if you have any questions regarding the POPI Act and the implications thereof on your business.