South Africa’s Protection of Personal Information Act (POPIA) takes effect on 1 July – and becoming compliant with the Act should be a top priority for all companies this year, as it fundamentally changes the way they deal with consumers’ personal information.
POPIA means many businesses will have to rethink how they reach new customers, as the days of buying a database and bombarding unsuspecting consumers with ads and marketing messages are over, says Daniel Lotter, head of innovation at managed services provider Itec.
POPIA establishes a number of minimum requirements that businesses and other organisations must comply with when dealing with personal information: how they gather it, use it and protect it. This includes having to implement measures and procedures to secure that information.
“Legally, businesses’ T&Cs documents will have to change. You can’t just have catch-all clauses: you actually have to get people’s express consent to gather and use their data. And if they want to be forgotten, you have to let them go,” says Lotter.
These new requirements apply to every entity in the country that processes any personal information, including all businesses. Businesses have 12 months to get their house in order, with fines of up to R10 million for non-compliance.
How do you become compliant?
Lotter highlights six broad requirements for companies to become POPIA-compliant.
Personal information must be kept safe and confidential. No unauthorised people, either internal or external, must be able to gain access to the information. If a leak occurs, companies have to disclose it immediately, and take steps to rectify the situation.
Personal information must be collected for specific, legitimate purposes or functions. Companies must be able to identify the processes and procedures they use to gather the minimum amount of information they need for a specific purpose – and they can’t use this information for anything else, says Lotter.
Consent must be obtained before collecting or processing any personal information. In obtaining a consumer’s consent, a company must provide them with detailed information about the nature of the information they need, and for what purposes. Consumer can withdraw their consent at any time, and companies must be able to prove they gained consent.
You must be able to delete or change personal information. “Once the purpose for which information was collected has been achieved, it must be deleted. Companies can’t hold any personal information just in case they might need it in the future: they must get consent again,” said Lotter.
You must have a system that deals effectively with individual instructions regarding their personal information. In other words, consumers must be able to easily withdraw consent and change their information.
You must appoint people within your company to be responsible for POPIA compliance. The Act specifically requires that companies appoint people, or a group of people, to be responsible parties. These responsible parties must appoint information officers to ensure compliance within the company.
So, what do you do next?
There are three key questions companies should be asking at this stage, says Lotter:
- Have we registered our company and responsible parties for POPIA compliance with the Regulator?
- Have we appointed a POPIA Information Officer and Responsible Parties within our organisation?
- Do we have a solution in place that will enable compliance to support the required measures and procedures?
“Also, ask yourself: What personal information do we hold? How do we get it, and why do we have it? Is the consent we have valid under POPIA?” said Lotter.
“Ultimately, it’s a good idea to speak to an expert, or your managed business services provider, to assess the impact of POPIA on your business. That way, you can turn compliance to your advantage.”