What is the POPI Act and how do I comply? Easy Explanations
What is POPIA?
The Protection of Personal Information Act (POPIA) is a South African law that introduced minimum requirements on public and private organisations for collecting, storing, and using people’s personal information.
What is the purpose of POPIA, and why did it come about?
POPIA protects people's privacy in South Africa. It does this by restricting the unauthorised collection and surveillance of personal information, something that many private businesses and public entities are involved in daily.
What is considered personal information?
Personal information refers to any data points that can be related to an individual like:
- Names, age, birthdate, sex, religion, education, skills, language preferences, ID numbers, ID documents, bank accounts, company registration numbers, and details, driver's license and vehicle registration plate numbers, mobile phone IMEI and serial numbers, QR codes, and signatures
- Physical and postal addresses, phone numbers, email addresses, device identifiers, social media accounts, geo-location data, meeting venues and times, and meeting participants
- Biometric data like photographs, photo-ID documents, video recordings, fingerprints, voice prints, facial features, and behavioural characteristics
- Emails, SMS, social media posts
- Personal opinions, views, or preferences of the person as well as the views or opinions of another individual about the person
- Financial account details, transactions, history, and purchasing preferences
- Medical and health-related information, doctor prescriptions, and pharmacy scripts.
Who has to comply with the POPI Act?
Everyone has to comply with POPIA, with a few exceptions. If you're doing something for personal or household reasons, you don't have to worry about following POPIA. Certain public bodies, like the Cabinet or provincial Executive Councils, have some exemptions from specific conditions in the legislation, but they still need to follow most of the rules.
Small companies, sole proprietors, and freelancers must comply with POPIA if they collect, process, store, or share personal information. POPIA applies to everyone, regardless of their company's size or the industry in which they work.
Usually, it is simpler for small companies to comply with POPIA because it's often easier for them to minimize the processing of personal information in their business operations. By avoiding this, the compliance burden gets reduced.
However, small businesses still need to understand their obligations under POPIA and take steps to protect the personal information of their clients, customers, and vendors.
It's also worth mentioning that POPIA doesn't cover personal information that's processed exclusively for journalistic, literary, or artistic purposes. However, there's a code of ethics in place to ensure there are adequate safeguards that strike a balance between one's right to privacy and freedom of expression.
Complying with POPIA
While POPIA allows the processing of personal information, it only permits organisations to do so if their data-collecting process meets several standards and conditions. And while the basic principles of POPIA apply to everyone, certain industries like telecom, finance, and healthcare have extra legal obligations for privacy and data protection because they handle particularly sensitive personal information.
- Identify What You’re Processing:
Given that personal information is a broad definition of all kinds of data types, your organisation must specifically call out what type(s) of information you’re collecting. - Document What You Do:
Catalog your entire data processing operation and conduct personal information impact assessments for each processing operation using the personal information you identified. - Identify your Responsible Party:
According to POPIA, the top person in charge of handling personal information is called the "Responsible Party." They have important responsibilities, like ensuring they don't harm the individuals whose information they process. If the Responsible Party doesn't follow POPIA's rules, they might have to compensate the affected individuals or face penalties imposed by the Information Regulator (IR). - Appoint an Information Officer:
The information officer is not involved in management decision-making, helps individuals with data subject requests and complaints, and guides the Responsible Party with compliance obligations. - Establish Your Legal Reason for Collecting Data:
You're allowed to process someone's personal information if there's a valid legal reason, like contracts or public law duties. The Responsible Party can also process personal info if they have a legitimate interest or if they've obtained permission from the individual. - Communicate What You’re Doing and Why:
Before you process someone's personal information, confirm that you have authorized your service providers to do so on your behalf and communicated with your customers and employees about your reasons for collecting their personal information, how it will get used, and how long you need to keep it on file. This helps promote transparency and respects the rights of the individuals involved, giving them some control over their information. By defining and communicating the purpose, everyone has a better understanding and confidence in the process. - Limit the Data You Collect:
Even when you have someone’s permission to process their personal information, you can only process the bare minimum of what is needed in the least intrusive manner possible. Anything more would require the affected person’s consent. - Install Safeguards in Your Process:
To make sure that nobody gets hurt by processing their personal information, the Responsible Party needs to implement technical and organizational measures — like risk assessments — before starting any work. It's important to keep an eye on these safeguards, monitor them regularly, and update them as needed to ensure ongoing protection. - Check on Special Circumstances:
Establish whether or not the personal information you process falls under one of the special (sensitive) categories of personal information and, if it does, know what additional precautions you need to take. - Report Information Breaches:
POPIA requires that Responsible Parties report information breaches within a specified time frame to the Information Regulator and affected individuals. - Allow for Data Subject Requests:
People having their personal information processed have the right to make different types of requests. For example, they can ask for a description of the information you're holding, details about how you're processing it, or access to the information your Responsible Party is holding. If they discover that you're processing their information illegally, inaccurately, or for reasons beyond the original scope, they can ask your organization to correct, delete, or completely get rid of the information you have on them. To meet these requirements, organisations are required to maintain a system to handle such requests. - Keep Your POPIA Manual Current:
Every organisation must develop, monitor, maintain, and make available a POPIA manual that includes:
- Provide instructions on how individuals can request records about the information your organization holds on them and the categories of that information.
- Clearly state the purpose of why you’re processing their personal information.
- Describe the types of individuals from whom your organization collects information and the specific types of information collected.
- Inform individuals about the entities or groups that might have access to their personal information, including certain groups or categories.
- Disclose any plans to transfer personal information across borders.
- Explain the security measures in place to keep the information confidential, intact, and available when needed.
What type of companies are most at risk of POPIA non-compliance?
1. The obvious examples
In this digital age, people have a greater understanding of what an infringement of their personal information looks like. To that end, while POPIA non-compliance can happen by accident or unintentionally, these examples illustrate more glaring instances of negligence:
Companies that process personal information without completing a risk assessment.- Companies that collect personal information unlawfully.
- Companies that process personal information without notifying the affected people.
- Companies that collect personal information from or share it with third parties.
- Companies that use their legitimate interest to process personal information but fail to protect the affected persons from harm.
- Companies that retain personal information without a legitimate purpose and valid legal basis.
2. The less obvious examples
POPIA non-compliance can happen by accident, during one-off occasions like fundraisers, or by companies that don’t regularly collect personal information. That’s why it’s important to make sure you understand POPIA compliance so you know what to do if your firm ever requests or conducts:
- Driver’s licenses and ID documents scans
- Job applicant background checks
- Credit reporting checks on staff
- Event photography
- Video surveillance that is not from a distance
- Someone’s ID without a valid legal basis
- Someone to identify themselves in a transaction when it isn’t required
- If your company doesn’t comply with POPIA, it can be required to:
- Destroy the personal information you’re trying to process.
- Restrict the processing of personal information.
- Transfer all related personal information to another automated system.
- Provide independent assurance that steps taken to fix non-compliance are effective.
- Compensate the affected parties.
- Pay administrative fines up to R10 million.
- Face prosecution in court, and on conviction, be fined or imprisoned.
- Be subjected to a class action lawsuit.
Organisations that don't comply with POPIA often struggle with other important governance frameworks like King IV and ESG objectives. Non-compliance can also have a negative impact on their cyber security and show a lack of respect for fundamental human rights in South Africa. This could lead to reputational damage, loss of customers, and loss of investor trust.
What are the data protection risks?
Organisations must have a “valid legal basis” to process another person’s personal information. Where a law or contract provides for the processing of personal information, the organisation can process this information in accordance with the conditions imposed by the law or contract. If there is no law or contract, the organisation can ask the individual to consent to the processing of his or her personal information. Sometimes a public duty is imposed on an organisation by a law regulating a public benefit.
In this instance, if the individual does not object, the organisation can process the individual’s personal information. If the individual is fully incapacitated, and the processing is vital to the survival of the individual, the organisation can process the person’s personal information. When it is essential to achieve a particular objective of the organisation, and there is no alternative way to do achieve this objective, the organisation may be able to process an individual’s personal information based on it’s legitimate interest if the individual does not object.
Organisations must have a valid legal basis to process personal information, whether by law, contract, or the consent of the subjects involved. However, there are many instances in which organisations may unintentionally or unknowingly collect someone's personal information without that valid legal basis.
After all, as we already established, personal information covers a wide variety of data points that go far beyond your credit card or social security number. It can include photos of a person at a street corner captured by a security camera. Or just someone’s email address. The point is, if you suspect your organisation collects any form of personal information, either actively or passively, get the necessary valid legal basis to avoid the data protection risks like the ones listed here.
Minor data protection risks when processing without a valid legal basis:
- Sending an email to the wrong address that doesn’t reveal any other identification information (e.g. name) and is not used as a primary address of the individual in internet sites, forums, or social networks.
- Taking a photograph when the picture is unclear or vague (e.g. CCTV footage from a long distance).
- Using an ID card when no other information is provided about the individual or it is not possible to find additional information unless access to a reference database (e.g. credit bureau) [c] is obtained.
- When the accessed personal information does not reveal and cannot be linked to any other personal information about the individual unless access to a reference database (e.g. credit bureau) is obtained.
- Video surveillance of a building entrance from a distance sufficient not to be able to identify any individuals.
Major data protection risks when processing without a valid legal basis:
- Sending an email to the wrong address that doesn’t reveal any other identification information (e.g. name) but is used as a primary address of the individual in internet sites, forums, or social networks (searchable on the web).
- Sending an email to an incorrect address that reveals the individual’s name and is used as his/her primary address in internet sites, forums, or social networks (searchable on the web).
- When an email with personal data has been wrongly sent to several known recipients.
- When some customers could access other customers’ accounts through an online service.
- When personal information is published on an internet message board.
- When a wrongly configured website makes personal information of loyal club members, customers, or staff publically accessible online.
- Taking a photograph when the picture is unclear or vague but it includes additional information (e.g. surroundings that show a specific location) that could lead to the identification of the individual.
- Taking a photograph when the picture is clear but no other identifying information is linked to it.
- Taking a photograph when the picture is clear and linked to some additional identifying information.
- Using an ID card when the identifier reveals additional identification information about the individual (e.g. social security number revealing date of birth) and is linked to other data (e.g. postal address or email).
- Using an ID card when information from the reference database is also available (e.g. ID card and full name and/or picture).
- When access reveals some personal information about the individual (e.g. first name) and is linked to other personal data (e.g. the individual’s email address).
- When access reveals the individual’s full name or personal information from a reference database is also available.
Note that the severity of the incident may depend on the nature and extent of the violation, not to mention the harm caused to the people involved. We recommend you consult a data protection professional to fully understand the implications of non-compliance with POPIA.
Who checks that my organisation complies with the POPIA?
The Information Regulartor (IR)—an independent body established by POPIA—monitors[f] and enforces POPIA compliance.
As POPIA’s regulatory body, the IR investigates complaints, conducts audits, issues fines and penalties, and takes legal action against organisations that don’t comply with the law. The IR also provides guidance and support to organisations to help them understand and comply with POPIA.
What is considered an offence according to POPIA?
POPIA covers a range of offences related to the processing of personal information, including:
- If someone gets in the way, causes trouble, or tries to manipulate the Regulator or anyone working for them while they're doing their job, they're breaking the law.
- People working for the Regulator must keep any personal information they come across during their official duties confidential unless they're required by law to communicate or share that data. If they don't, it's considered an offense.
- Intentionally obstructing someone carrying out a warrant is against the law.
- If a Responsible Party doesn’t act on an enforcement notice, they're breaking the law.
- If a Responsible Party makes a false statement while supposedly following an information notice, it's considered an offense.
- If someone is summoned to appear before the Regulator to provide evidence or hand over documents, and they don't have a good reason for not showing up at the specified time and place, or if they refuse to cooperate after being sworn in, they're breaking the law.
- If a Responsible Party fails to meet POPIA’s necessary conditions or take the steps to do so, they're breaking the law.
- If a Responsible Party fails to notify the IR about processing that poses a high risk to individuals affected, they're breaking the law.
What tools and resources are available to help my company comply with POPIA?
Complying with POPIA can be a complex process, but there are several tools and resources available that you can use to help make it easier. Some of our top recommendations include:
- POPIA Compliance Framework and Monitoring Systems:
See https://popia.services/solutions/
These ensure that personal information is processed lawfully and people's privacy rights are respected. They start working from the onset when the purpose and methods of processing are determined and continue throughout the actual processing. - Personal Information Impact Assessment (PIIA) Tools:
These gather information, evaluate compliance with the conditions, and assess the risk to people from processing their personal data. Automation helps organisations plan, organise, assign responsibilities and track the progress of each personal information impact assessment. Several templates are available online that can help organisations implement a PIIA.
For example: See https://piia.online - Privacy Notice Templates:
These outline how an organisation collects, uses, stores, and shares personal information. Several privacy notices are usually required as personal information gets collected for different purposes and legal bases.
For example, our own privacy notice: https://some1.io/privacy-policy - Data Breach Management Processes:
These outlines the steps an organisation takes to prevent and detect a breach, and in the event of one, how to respond, who to notify, and how to recover normal processing operations.
For example: - Consent Management Tools:
These measures help organisations handle the task of keeping track of consent more efficiently. They make it easier to respond to people's requests for access to their information or withdrawal of consent. Additionally, they help track the fulfillment of consent withdrawal requests.
For example: Some1 allows for a secure, seamless and customizable process for businesses of all sizes. - Staff Training:
POPIA requires organisations to ensure that their employees understand how to process personal information lawfully, respect people's rights, and identify breaches of personal information. There are online training resources available that can assist your organization in meeting these requirements.
For example: Let’s find a good template and link to it.
See https://popi.training
It is important to note that the tools and resources required to comply with POPIA may vary depending on your organisation's size, industry, and processing activities. We recommend consulting with legal and data protection experts to determine the best tools and resources for your specific needs.
How will I find out if I’ve violated the POPI Act?
The Responsible Party has a responsibility to identify any instances where they're not complying with POPIA. It's important for staff and service providers to receive training on how to recognize breaches of personal information.
However, there may still be cases where disgruntled staff or customers raise objections, withdraw consent, or exercise their rights. They might even complain to the Information Regulator (IR) and request an assessment. This could lead to an IR investigation of your entire organization.
When assessing complaints, the IR can help facilitate a settlement between the involved parties without conducting a full investigation if it seems like they can reach a resolution.
However, if the IR determines that your organization has violated POPIA, it can issue recommendations in an enforcement notice[h] .(https://inforegulator.org.za/enforcement-notices/) This notice will require you to take specific actions to rectify the violation within a specified timeframe. Failure to comply with an enforcement notice may result in the imposition of administrative fines or criminal penalties.
How does South Africa’s POPI Act differ from data protection laws in other countries?
POPIA and Europe's General Data Protection Regulation (GDPR) share many similarities concerning the value of privacy and personal life. However, in countries like the U.S.A., privacy isn't viewed as a human right, so privacy enforcement takes a different approach there.
Both POPIA and the GDPR have a primary focus on data protection. They grant individuals specific rights to protect their data and require public and private organizations to respect these rights when processing personal information.
It's worth noting that POPIA offers a more detailed definition of personal information compared to the GDPR. Additionally, it requires a more proactive compliance framework and monitoring system to ensure adherence to its regulations.
The Importance of Following POPIA
As you can see, adhering to the POPIA isn’t something you can do without a plan or understanding what it takes to comply with it. Developing, implementing, monitoring, and maintaining a compliance framework will greatly determine your organisation’s success in following the POPIA’s tenets. Not to mention training your staff, documenting your processes, and developing a data breach response plan. The point is, complying with the POPIA isn’t something you set and forget. And that’s for the best because it’s how we continue to ensure our right to privacy as people.