Simple Guide to POPI Compliance

protection of personal information act popi

The Protection of Personal Information – or POPI – Act regulates how organisations handle personal information, whether it's for individuals or other businesses. This includes how the information is stored, processed and shared.

Who has to comply with the POPI Act

Any organisation that obtains, processes, stores or shares personal information is required to comply with the POPI Act.

For example, if your business keeps information about employees and/or customers, it has to comply. In practice, this means very few South African companies are exempt.

What is personal information?

Personal information is any information that may reasonably be used to identify a particular individual.

Some examples of personal information are ID numbers, email addresses, phone numbers and addresses, ages and dates of birth, medical records, criminal records, financial information and employment history.

Photos or video recordings that show individuals – whether in business or social settings – also constitute personal information.

Information that's about individuals but that can't possibly be used to identify them doesn't qualify as personal information. Examples are anonymous survey results and demographic statistics.

Complying with the POPI Act

In line with international privacy legislation, the POPI Act requires that organisations:

  • obtain unambiguous consent from individuals before obtaining, storing, processing or sharing their personal information
  • collect only personal information that they need for legitimate business purposes
  • use personal information only for the purpose for which it was originally collected
  • keep personal information only for as long as it's legitimately required
  • take reasonable measures to protect the security of individuals' personal information
  • provide access to and update or correct individuals' personal information if requested to do so.

If personal information is to be shared with other companies or individuals, whether they are third parties or other legal entities within the same group of companies, these parties must have the same level of security for the protection of this information.

When does POPI come into effect?

Although it was signed into law in 2013, the Act was introduced only in 2017, after the appointment of the Information Regulator.

The Information Regulator is an independent body that monitors and enforces the POPI Act, as well as the Promotion of Access to Information Act of 2000.

The commencement date for the POPI Act has not yet been announced. Companies and businesses will have a grace period of one year to comply with the POPI Act after the commencement date. Under certain circumstance, this period may be extended to a maximum of 3 years.

How does POPI affect your business?

To comply with the Act, businesses must implement proper systems for getting individuals' consent and for deleting or destroying personal information once it's no longer required.

They should add disclaimers to physical and digital forms where applicable, and update their terms and conditions to communicate what information they possess and how it will be used, stored and, if applicable, shared.

Businesses must also ensure that any personal information they collect is adequately protected from data breaches and theft. This may involve updating systems used to collect and store personal information, and implementing new security products and protocols. Ideally, it should also involve training all staff on data protection and privacy requirements.

Non-compliance with POPI can result in a hefty fine and/or imprisonment for up to 12 months.

What if there's a data breach?

If a data breach occurs or personal information is compromised in some way, the responsible organisation is required to inform the affected parties, including the Information Regulator, immediately.

The nature of the breach and steps being taken to rectify the situation must be explained, if possible. A subsequent investigation will determine if all reasonable measures were taken by the business to protect the information.

How PM&A Consulting can help

If your company collects, stores or processes personal information, PM&A Consulting can help you comply with the POPI Act by identifying and implementing suitable data protection measures.

We specialise in offering small to medium Cape Town businesses the best possible networking and security solutions, at reasonable prices. Contact us for more information or to discuss your data security needs.

Contact us to discuss your security needs