THE PROTECTION OF PERSONAL INFORMATION ACT IS FINALLY HERE — THIS IS WHAT YOU NEED TO KNOW

The Protection of Personal Information Act (POPIA) is now in force and have started 1 July 2020. Still, all businesses including FSP’s will have until 1 June 2021 to comply and get their businesses POPIA Compliant. The POPI Act gives effect to section 14 of the Constitution, which provides that everyone has the right to privacy. The act tries to strike a balance between the right to privacy and the right for access to information and applies to all local and foreign companies collecting, using or handling consumers’ personal information, including names, identity numbers, ages, email and physical addresses.                        

Regulated by the Information Regulator, the act will be the go-to piece of legislation for consumers when their personal information is abused, or companies don’t protect it sufficiently or demand personal information, such as their ID number, when it’s not necessary. 


The fines and penalties for non-compliance to POPIA vary depending on the type of offence committed, with a maximum of 10 years imprisonment or a R10m fine.

In a country overwhelmed with crime, South Africa was in need of personal protection policies. For those who feel uncomfortable being forced to have their driver’s license scanned and their car’s number plate photographed, ID numbers and cellphone numbers collected when entering residential or business complexes could now also test the legitimacy of their concerns against the POPI Act with the Information Regulator. Many industry experts see this as an invasion of privacy and a perfect recipe for either cloning your car or identity theft. Manie van Schalkwyk, the executive director of SA Fraud Prevention Service agrees “I totally feel uncomfortable to provide any security company with that information as I am not sure what they are doing to keep secure.”

 

As SA went into Covid-19 lockdown, many industry experts said regulations such as the POPIA were going to strain the ability of service providers to maintain required levels of privacy in the new work-from-home normal and now in the wake of the current public health crisis, many businesses have been forced to work remotely. Now more than ever it is critical that all businesses do their part in securing customer data, employee operations, and business continuity as best as possible.

 

For most FSP’s, complying with the POPI Act will require an analysis of all personal information within the business, where they got it from and what they do with it.

The sections which commenced on 1 July 2020 are essential parts of the Act and comprise sections which pertain to:

I. Conditions for the lawful processing of personal information; 

II. Regulation of the processing of special personal information; 

III. Codes of Conduct issued by the Information Regulator; 

IV. Procedures for dealing with complaints; 

V. Provisions regulating direct marketing by means of unsolicited electronic communication and general enforcement of the act.

POPIA TO-DO LIST FOR FSP’S:

1. Identifying what personal information you are collecting within your business (ID documents, email and physical addresses, telephone numbers etc.)


2. From whom are you collecting this information? (Internal – HR procedures and how you protect and process Employee personal information & External – onboarding information and all information collected to perform a Financial Needs Analysis)

3. Appoint a POPIA Information Officer for your FSP (Formal process and appointment letter to be signed and kept on file)

4. Train all staff on the role of POPIA and the roles they will play to protect client data

5. Where are you storing the information you collected? (PC’s, cloud servers, cupboards - Review all your electronic system  and programs that you use to communicate with clients and where you store their information.

6. Who has access to this information?  (identify all individuals)

7. Rework communication tools in light of POPI’s direct marketing provisions;

8. Consider consumers’ rights

9. Implement a POPIA policy within your FSP

10. How you will act upon the right to withdraw consent

11. How you will handle client complaints within your FSP 

12. Amend all contracts (employee contract and Service Level Agreements) to include POPI compliance clauses.

FSP’s, processes personal information from both internal and external sources and must ensure that the processing of these is done in a lawful way.


The Act is fundamental in safeguarding persons' personal information and thus protecting them against data breaches and theft of personal information.

                                                                                                                                                                                                       -Andrea Venter