Please note that every effort has been made to ensure that the advice given in this educational material is correct. Nevertheless, that advice is given purely as guidance readers to assist them with particular problems relating to the subject matter of the educational material, and African Venture Group will have no responsibility to any person for any claim of any nature whatsoever that may arise out of, or relate to, the contents of this educational material.
The Protection of Personal Information (‘POPI’) Act is South Africa’s major data protection law and it comes into effect on 1 July 2020. First implemented in 2013, the Act gives effect to Section 14 of the Constitution, which provides that everyone has the right to privacy.
The POPI Act changes the way all companies are required to treat personal information. From next week, there will be new laws in place that government, companies and organisations must follow when they’re using or storing people’s personal information.
Companies have one year, until 1 July 2021, to become compliant.
Violations of the Act could result in fines or compensation for damages as high as
Here is what you need to know.
All business are affected
The Act sets out rules for the collection, processing, storage and sharing of someone else’s personal information and will hold institutions accountable if they misuse or compromise personal information.
Direct marketing will be hardest hit, as people will now have to agree to being contacted. This means no more cold calls or voicemails from robots.
While data protection laws of many other countries exempt SMEs, this is not currently the case in South Africa.
Furthermore, every person and company is protected by this Act.
What is considered personal information?
The following information is considered personal or “precious goods” according to the legislation:
Date of birth and age
Phone numbers (including cell phone number)
Online or instant messaging identifiers
Gender, race and ethnic origin
Photos, video footage (including CCTV footage, voice recordings and biometric data)
Marital relationship status and family relations
Religious or philosophical beliefs (including personal and political opinions)
Employment history and salary
Physical and mental health information (including medical history and blood type)
Memberships to organisations or unions
NOTE: If this information is posted on your social media pages, you cannot complain about it being used in a data directory.
Relevant sections and applicable dates
Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) commence on 1 July 2020.
These sections are essential parts of the act and comprise sections which pertain to, among others things:
The conditions for the lawful processing of personal information
The regulation of the processing of special personal information
Codes of conduct issued by the Information Regulator
Procedures for dealing with complaints
Provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the act
Sections 110 and 114(4) commence on 30 June 2021.
Benefits of the POPI Act
Firstly, the purpose of the POPI Act is to protect people from harm by protecting their personal information.
Secondly, the Act aims to protect people from having their money or identity stolen and to protect their privacy, which is a fundamental human right.
Furthermore, the POPI Act encourages transparency and openness and aims to increase customer confidence in organisations. This means your clients/customers will have more trust and confidence in your business because they their information and their interactions with you are secure and protected.
What this means for consumers
The people whose information is gathered and processed will now have the right to:
Be notified when personal information is being collected
Be notified if this information is accessed by an unauthorised person
Inquire whether a party has their personal information
Request a copy of their information from the responsible party
Request the correction or deletion of their personal information
Object to the processing of their personal information in certain circumstances
Not have their personal data processed for direct marketing purposes
Not be subject to a decision based solely on automated processing of their information in certain circumstances (such as automated profiling based on their personal information)
Submit a complaint to regulators regarding non-compliance
Institute civil proceedings against those who interfere with the protection of their information
How businesses can become compliant
The main motivation for complying with the POPI Act should be to protect people from harm.
To become compliant, businesses need to capture the minimum amount of required information, ensure its accurate and remove information that isn’t required.
Responsible parties (i.e., your business) can take various steps to comply:
Appoint an Information Officer
Raise awareness amongst all employees
Amend contracts with operators
Report data breaches to the regulator and data subjects
Check that they can lawfully transfer personal information to other countries
Only share personal information when they are lawfully able to
Make sure your business takes the appropriate measures to keep the personal information safe and reduce the risk of your system being breached.
For more information, please contact African Venture Group's legal department.