POPIA Compliance

With the enforcement of the Protection of Personal Information Act of 2013 (PoPO) on the horizon, business owners and leaders need to re-examine the way they handle and process data. In essence, PoPO seeks to ensure that all South African institutions operate responsibly when managing, collecting, processing, storing, and sharing personal information. The act holds companies accountable if they fail to protect personal data and looks to bring South Africa in line with international trends around data management.

Many businesses are choosing to ignore the new regulations and this is a big risk! Certain sections of the PoPI have already commenced. Although the Information Regulator is not yet fully operational, it has already received many complaints relating to unlawful processing of personal information under PoPI.

As a business, you do not want to get on the wrong side of the Information Regulator. Once PoPI is in force, the Information Regulator can carry out an assessment of your personal information handling practices even if no complaint has been filed. 

Defining “Precious Goods”

PoPO considers personal information and data as “precious goods”. Taking this view into account, business owners can face jail time or a fine of up to R10-million if an organization is in breach of the act. This is applicable to any legal entity, whether it is a person or a company. Companies also have the right to the protection of their private information, It is near impossible to meet the requirements of PoPI without the right IT tools and platforms in place. These tools, in addition to keeping a business in line with PoPO, can streamline operations and also boost efficiencies.

Conditions of the Act

PoPI has eight conditions that companies must comply with:

Accountability: All legal entities need to be responsible, accountable and must comply with the conditions of the act.

Processing limitation: You must justify why you are processing and capturing private information. Also, there should be limits in place as to what information you process and how much there is. You must have the consent of the party to whom the information belongs and any processing of this information should be compatible with the original purpose for which it was collected.

Purpose specification: The data must be captured for a specific and justifiable reason and the party must be aware of this. A record must not be kept longer than deemed necessary. 

Further process limitation: Any further use or processing of information collected must be related to the original purpose of the information being collected.

Information quality: All information collected must be correct, up to date, and not misleading. This applies to backups too.

Openness: In order to fulfill the openness condition, notifications must be sent to the party whose information is being captured, The party must be able to view your name and/or company name and address, be informed of the reason why you are collecting this data, what this information is. 

Security Safeguards: This is arguably the most important and actionable condition of the PoPO act, specifically when it comes to IT and technology. Firstly you need to identify the data that contains personal information and treat it with care. Secondly, all such information must be secured, and you must be able to prove that steps have been taken to do it in the most effective way possible. If there is a security breach, you must inform the regulator and party whose data is affected.

Data subject participation: The party whose information you have has the right to ask for any data that you have about them. They can also request that you permanently delete this information, or update it.

Allocate Resources Smartly

Businesses that have to comply with both the PoPI Act and the GDPR should ideally focus their resources on complying with the GDPR first, and then PoPI. Both require focused attention on every aspect of data processing within the enterprise environment. Apart from the government aspect, IT has a critical role to play in PoPI and GDPR compliance. 

What We Can Do From Our Side If You Have A Website Through Foxx Design

The following steps are done from our side to comply with the new PoPI Act when capturing information on your website
• Installed SSL Certificate on a domain. This secures the domain
• Contact Forms information is captured on the backend and is stored behind the SSL Certificate as well as a Firewall

Additional Steps The Client Needs To Make If They Have A Website

These steps are important to show your clients their information is safe. Talk to us or your current host to implement the below steps
• Load document of your PoPI terms related to how you capture and use information that is structured around your industry. We have a basic template available if you wish us to adjust it towards your business.
• Adding of cookie terms on your website that clients can either accept or decline