POPI is a South African law that ensures that any personal information that you give out is protected. The law stipulates a set of rules that organisations have to follow in terms of how they collect, use, keep or remove data.
POPIA stands for Protection of Personal Information Act (often called the POPI Act or POPIA)
The law has been effective since 1 July 2020
POPI applies conditions for the lawful processing of personal data of South African citizens and those living in South Africa.
Any person or organisation who keeps records relating to personal information, such as an individual’s name, signature, address, phone number, credit information or date of birth, unless those records are protected by other legislation more stringently, need to comply with the Popi Act. It sets the minimum standards for the protection of personal information.
The purpose of Popi Act to is protect personal information, striking a balance between the right to privacy and the need for the free flow of information as well as the access to information, whilst regulating how personal information is processed. It is intended to protect consumers and legitimate businesses from those that don’t comply.
Ensure your employees are aware of the POPI Act and adhere to the regulations set out.
Assess how your clients, and employees’ data is collected, stored, processed, and eventually disposed of.
Review, create and setup the correct policies and procedures to ensure the compliant processing of personal information.
Policies and procedures should be assessed or audited by a POPI specialist to make sure it aligns with the requirements of the POPI act.
Adequate communication and training should be implemented to your staff with regards to all policies and procedures.
The South African Information Regulator may institute a fine or imprisonment of up to 12 months. (Section 107 of the POPI Act)
In some cases, depending on the Sections of the Act you do not comply with, or if convicted of an offence in terms of the Act, you may be liable for a fine of up to 10 million or up to 10 years imprisonment. If your clients are impacted by a data breach, POPIA even empowers them to take civil action for damages.
POPI is the act of protecting Personal Information, implying that all the policies, procedures, processes and practices in the organisation relating to personal information, are in fact doing POPI. POPIA is merely the name of the law, and so you cannot “do” POPIA. To comply with POPIA, you need to implement a POPI programme.
POPI does not apply to a deceased person because the definition of ‘personal information’ requires that the data subject (i.e. the person) be ‘living’.
No, the POPI Act does not apply to social media as it does not protect public information. Any information that you share publicly will automatically fall outside of this Act’s protection. If you list your email address or mobile number on your any social media platforms, and that information is publicly available, it is then free for companies to collect and use.
The role players are :
The data subject: the person to whom the information relates.
The responsible party: the person who determines why and how to process, such as profit companies, non-profit companies, governments, state agencies and people. Responsible for the lawful processing of personal information.
The operator: a person who processes personal information on behalf of the responsible party such as an IT specialist or lawyer.