Simple Guide to POPI Compliance

The POPI (Protection of Personal Information) Act governs how companies and institutions handle personal information, whether it’s for individuals or other businesses. This includes how the information is stored, processed and shared.

Some examples of personal information include:

  • ID number
  • Email address/es
  • Phone number/s
  • Age and date of birth
  • Physical address/es
  • Gender or race
  • Photos or video recordings
  • Marital status
  • Criminal record
  • Financial information
  • Employment history
  • Health information
  • Private correspondence

What does the POPI Act do?

The act ensures that a company can only collect the information they need and that the information is protected at all times. They are also only allowed to keep the personal information for as long as they need it.

The act also requires transparency in terms of what information they have and who they will be sharing it with. If a customer or client asks, the company must reveal what personal information of theirs they have.

If personal information is shared with other companies or individuals, whether they are third parties or other legal entities within the same group of companies, these parties must have the same level of security for the protection of this information. The full consent of the customer is also required before the company is allowed to share their information with third parties.

Some of the basic conditions of POPI compliance are as follows.

The company must:

  • only gather information they need at that time;
  • specify what the information is going to be used for;
  • not share the information without permission;
  • ensure that the information is accurate and up-to-date;
  • let the customer know what information they have;
  • keep the information safe at all times; and
  • ensure they have permission to collect the information.

When does it come into effect?

Even though it was signed into law in 2013, the Act was only introduced in 2017, after the appointment of the Information Regulator.

The Information Regulator is an independent body which monitors and enforces the Protection of Personal Information Act as well as the Promotion of Access to Information Act of 2000.

The commencement date for the POPI Act has not yet been announced.

How does POPI affect your business?

Companies and businesses will have a grace period of one year to comply with the POPI Act after the commencement date. Under certain circumstance, this period can be extended to a maximum of 3 years.

In order to be compliant, companies must get permission from individuals and suppliers before obtaining, processing, storing or sharing personal information. Disclaimers might need to be added to physical and digital forms where applicable.

The company must also ensure that any personal information they collect is protected from data breaches or theft. It may be necessary for some companies to update systems used to collect and store personal information in order to ensure there is no risk of breach.

Businesses must also clearly communicate what information they possess and how this information will be stored and, if applicable, shared. Your terms and conditions will need to be updated to reflect these changes.

It is the full responsibility of the company collecting and storing the information to ensure that these requirements are met. Non-compliance can result in a hefty fine and/or imprisonment of up to 12 months.

In the event that there is a data breach or the personal information is compromised in some way, the company or organisation is required to immediately inform the affected parties, including the Information Regulator.

The nature of the breach also has to be explained and what steps are being taken to rectify the situation if possible. The subsequent investigation will determine if all reasonable measures were taken by the business to protect the information.

How PM&A can help

If your company collects and stores personal information, PM&A consulting can assist with improving your digital security and implementing data encryption to ensure that you are fully POPI compliant.

If your business needs help with POPI compliance, please get in touch to further discuss your needs.