Understanding the POPI Act
The Protection of Personal Information
What is the POPI Act?
The act is primarily focused to assist with the following
- Protection of your rights as a user online when it comes to your data and how your data is used
- Your rights as to unsolicited electronic communications
- How businesses should comply with the processing of user data
- This will apply to public and private entities
When will the act be implemented?
The act was signed into law on 19 November 2013. Since then there has not been any enforcement of the Act.
It is advisable that if you are unsure how to proceed, then you should familiarise yourself with the Act and ensure your company has put measures in place to comply with the Act.
Once the Act has been fully in place all companies will have one year to comply with the requirements.
What is defined as personal information?
In terms of the Act, personal information is data that can be used to identify a person. It is defined as "information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person."
This information about a person includes, but is not limited to:
Race, Gender, Sex, Pregnancy, Marital status, National / ethnic / social origin, Colour, Sexual orientation, Age, Physical or mental health, Disability, Religion / beliefs / culture, Language, Educational / medical / financial / criminal or employment history, ID number, Email address, Physical address, Telephone number, Location, Biometric information, Personal opinions, views or preferences.
Who is affected by the POPI Act?
Just about all companies and individuals will be affected by the act.
Specifically, companies which deal with personal information will be affected by the changes.
There will also be new guidelines for companies which send out direct marketing using channels such as emails.
How is my business affected by the POPI Act?
Very important is the following information for just about every company:
- You need to ensure the way in which personal information is handled is documented
- All data should be kept safe & secure (digital and documents)
- There are different requirements for handling personal & non-personal information
- If your company experiences a breach of personal data, it is important to notify all stakeholders in terms of which data was compromised
What else do you need to know?
The POPI Act will mean that you need to look after the data you collect from your users in whatever form this may be.
If you do not, then:
- You will be liable to pay penalties of up to R10 million.
- If you hinder the law in any way, you could then also face 12 months jail time.
- If you are a marketer, you need to ensure your user has given their permission for their data to be used in any form of communication.
The POPI Act is similar to the GDPR law from Europe. But the fines are not as high and the stakeholder management is slightly different.
The following laws will be affected by the POPI ACT
- The Electronic Communications and Transactions Act’s privacy provisions will fall away (where there are duplications of POPI).
- The Promotions of Access to Information Act will see all sections dealing with a person’s own personal information fall away and be dealt with in POPI.
- The National Credit Act and Consumer Protection Act will be amended and see all sections dealing with privacy removed and dealt with in POPI.
Protection of Personal Information Act 4 of 2013
The following information is a short guideline to the POPI Act.
The Protection of Personal Information Act 4 of 2013 aims:
- to promote the protection of personal information processed by public and private bodies;
- to introduce certain conditions so as to establish minimum requirements for the processing of personal information;
- to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000;
- to provide for the issuing of codes of conduct;
- to provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
- to regulate the flow of personal information across the borders of the Republic; and
- to provide for matters connected therewith.