Why is South Africa’s POPI Act so important?

In this digital age, it has become more important than ever to protect your data and private information online. The risk of privacy breaches threatens organisations, businesses and people of all kinds. The Protection of Personal Information Act (commonly known as the POPI Act or POPIA) is the new foundation of South Africa’s data protection laws.

The purpose of the POPI Act is to protect the personal information of people and organisations, mitigating the potential risks that come with private data breaches. The POPI Act looks to prevent South Africans from having their money or identity stolen as a result of personal information being collected and misused.

Essentially, the POPI Act wants to protect the privacy of South Africans by keeping our mobile, computer and financial data safe and regulated. The right to privacy is a fundamental human right and extends beyond our physical privacy and into our online presence. The POPIA’s compliance requirements are intended to help create a more secure digital environment for South Africans to conduct our business and share online information.

Is the POPI Act new?

The short answer is: no. The Protection of Personal Information Bill was first drafted in 2009 and spent a decade navigating South Africa’s legislative system. In 2020, the Bill passed and became what we know today as the Protection of Personal Information Act.

The POPI Act is South Africa’s equivalent to the EU’s GDPR (General Data Protection Regulation) which set conditions for responsible parties to lawfully process the personal information of data subjects. This is not intended to stop the processing of personal data, but to create legal and security requirements for its collection and use.

South Africa’s POPI Act does not stop organisations or individuals from processing personal data or require consent from their data subjects to process that information. Whoever, or whichever organisation, decides to process personal information in South Africa will be responsible for complying with the regulations and conditions of the POPI Act.

POPI Act compliance has begun

The President announced in mid-2020 that a one-year grace period would begin on 1 July 2020 before the Act becomes law. This 12-month period was intended to give South Africans and organisations the opportunity to become compliant with the new POPI Act. As of 30 June 2021, the POPI Act has commenced with its compliance expectations and corresponding Information Regulators and Officers should be assigned within your organisation.

Who does the POPI Act apply to?

The Act, essentially, applies to all South African persons or organisations that record or store any type of personal information that belongs to other data subjects. Unless those data records are subject to more stringent regulations, that organisation must process that personal information in compliance with the POPI Act.

“Processing” personal information would include the acts of collecting, receiving, recording, organising or retrieving private data, as well as the using, sharing, disseminating, selling or distributing of that data. Any natural or juristic persons (or organisations) who “process” personal information here must comply with South Africa’s data protection laws, including large corporations and government bodies.

Things you should know about the POPI Act

The POPI Act is made up of eight general conditions and three extra conditions that all responsible parties must meet in order to comply. These responsible parties are also responsible for any compliance failures by operators or service providers that they have hired to process their data.

As of the beginning of this month (July 2021), all South Africans and organisations are expected to be fully compliant with the POPI Act. In order to help you gauge your compliance with our new data protection laws, here are a few things you should consider:

  • Audit all of your current data procedures used to process, store or share any personal information. Can you confirm that all of your data is secured according to POPIA compliance requirements?
  • Organise and classify all personal information being stored and understand why you are processing that data. Ensure that you only access and save appropriate (lawful) data.
  • Evaluate the methods you are using for processing information. Is that data being processed correctly in accordance with the POPI Act?
  • Remain consistent in your reasoning. Your reasons for processing, saving or sharing of any personal information should be valid and maintain consistency over time.
  • Transparency is critical. Make sure that every individual is aware when personal data is being stored or shared – and what you intend to do with it. Users have a right to know why their private information is being processed.
  • Organisations must ensure their data quality and accuracy. All personal information being processed should be checked to make sure it is accurate, complete and not misleading.
  • Assign your Information Regulators and Information Officers. They will be responsible for ensuring your organisation’s POPIA compliance when processing personal information.
  • All private data should be processed for the purpose it was intended and only stored for the time required. A record of transactions and data should be kept for users, however personal information must be deleted after it has served its purpose.
  • Understand all regulations and restrictions for cross-border and international data transfers. Any private data, coming in or out of South Africa, will also be accountable to the laws of the country you are sharing personal information with.

Understanding the rules and regulations of South Africa’s POPI Act will be critical for any persons or business that are processing private data – at any scale. The POPI Act is not intended to become a financial or administrative burden for South African organisations. Rather, it is intended to transform the way we store and share personal information, making our processing more efficient, secure and safe for South Africa’s Internet users.

Cognite Marketing does not offer legal advice. Always consult a legal expert to ensure your compliance with the POPI Act and any other regulations.

What Cognite Marketing does offer is industry-leading expertise in the fields of digital marketing and online data analytics. Visit Cognite Marketing and find out how we can transform your business’s online presence.