Everything your business needs to know about POPIA

By Professor Danny Myburgh

It is astounding to consider all the data that can be found about each person. This includes contact information, private messages, blood groups, age, gender, race, employment history and financials. The data is not all in one place – but it is out there. And the damage that can be done with the right information – not to mention the fact that we all have a right to privacy – means that over the past few years countries have started legislating data protection.

In Europe, the General Data Protection Regulation (GDPR) came into force on 25 May 2018 and has become a standard that many other regions follow. In South Africa, the Protection of Personal Information Act (POPIA) came into full effect in July 2021.

POPIA is a complex piece of legislation that has a simple premise: Businesses and organisations hold a lot of data relating to their customers. They have a regulatory duty to protect that information- first to protect client privacy but also because of fraud and identity theft, all of which requires hackers to access personal information.

It is imperative that South African organisations understand POPIA, how to comply with the act and the rights of their customers in terms of their personal information.


POPIA in a nutshell

Section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy. This right includes the protection against the unlawful collection, retention, dissemination and use of personal information. POPIA assures this right and has strict regulations in place to ensure that every company complies with it. Depending on the nature of the offense, businesses as well as individuals can be punished and offenders can be fined up to R10 million and can even be jailed.

POPIA applies to every business in South Africa, including international firms operating within our borders. If you collect, uses, store or destroy personal information from a data subject (the natural or legal entity to whom the information belongs), you are subject to the Act.

Some of the obligations of businesses under the Act include:

  • To only collect information for a specific purpose
  • To ensure that the information is relevant and up to date
  • To have reasonable security measures in place to protect the information
  • To only keep necessary information
  • To allow the data subject to obtain or view their information on request.

Given the amount of data that most businesses collect, process and store, this requires the right technology, procedures and partners to remain compliant.


Staying on the right side of the law

Organisations need to pay attention to the following aspects of data to ensure they are on the right side of the law:

  • Regularly review and update all customer, supplier and third-party agreements. This is a critical step. Many supplier and third-party agreements pre-date POPIA and don’t cover the personal information of their customer’s customers. One of the biggest data breaches in 2022 involved a third-party supplier.
  • Implement technical and organisational measures to protect and prevent unauthorised access to and obtaining of personal information. Both customers and the law have a clear expectation that personal data will be safe. This begins with access.
  • Ensure you have consent documentation and private notices and that any customer can opt-out of your business utilising their data.
  • Develop a culture of privacy by training staff, regularly updating and implementing policies and procedures, and implementing awareness campaigns around data protection. Under POPIA, everyone within an organisation has the responsibility to protect client data. This makes cyber awareness and ensuring that no employees are weak links in cyber security, critical.
  • Implement a data breach and incident response plan and policy.
  • Implement a data access management system for the data subject in accordance with POPIA and PAIA legislation. Any data subject has the right to request what personal information a business holds. They can also request that any personal information that is incorrect, irrelevant, superfluous, misleading or unlawful be updated or destroyed. An access management system that has a clear view into an individual’s data is therefore essential.

Ultimately, under POPIA, businesses must protect the integrity of all personal information in its possession and under its control. This can only be achieved by ensuring that measures are in place to prevent the loss of, damage to or unauthorised destruction of personal information.