Unpacking POPIA: Can you afford not to comply?
Authors: Natasha Jansen – Consultant, Zaakira Haffejee – Associate & Kate Foster – Candidate Attorney
President Cyril Ramaphosa’s announcement on the commencement dates of several core provisions of the Protection of Personal Information Act 4 of 2013 (POPIA) with effect from 1 July 2020, means that organisations have to act fast in order to ensure that all forms of processing of personal information within their business are POPIA compliant before the Act becomes enforceable on 1 July 2021.
The importance of data protection has become more topical in recent years following the ever-growing digitalisation of our world and how we conduct business. POPIA is South Africa's first piece of comprehensive legislation primarily concerned with data protection. It aims to give effect to the constitutional right to privacy by introducing measures that regulate the collection, processing and use of personal information by both private and public bodies in a fair, transparent, and secure manner.
In an era where personal information is commoditised, POPIA comes at a critical time to protect against exploitation and abuse. The security risks surrounding personal information have become even more urgent as many people are forced to work from home due to the COVID-19 pandemic, increasing the risk of security breaches for companies, as well as the need for compliance with POPIA.
POPIA aims to align South Africa with global data protection legislation and best practices, and in many instances is compatible with Europe’s General Data Protection Regulation (GDPR). Since POPIA was signed into law in 2013, various developments have taken place such as the appointment of the Information Regulator in 2016 and publication of the final Regulations in 2018.
POPIA identifies eight conditions for the lawful processing of personal information, each encompassing vital considerations for any person or business involved in the processing of personal information, which we very briefly outline below:
Accountability: a responsible party must implement and ensure compliance with the conditions for lawful processing of personal information under POPIA, and as such will be accountable for the personal information it processes and liable in the event of a breach of the provisions of the Act.
Processing limitation: processing must be done in a limited, lawful, and reasonable manner that takes care against infringing a data subject’s right to privacy. Thus, as a general rule (and subject to certain processing justifications as set out in the Act) a data subject’s consent is required to process his/her personal information, and personal information should be collected directly from the data subject as far as reasonably possible.
Purpose specification: this condition is aimed at establishing the scope of data processing with a defined and lawful purpose, requiring the responsible party to identify the purposes for which the personal information will be processed and informing the data subject of those identified purposes. This condition further prohibits the retention of personal information for longer than is necessary to fulfil its intended purpose, subject to certain exclusions.
Further processing limitation: this condition ensures that the processing of personal information remains consistent with the initial purpose for which the data was collected.
Information quality: reasonable steps must be taken to ensure that personal information is kept up to date, remains accurate and complete and is not misleading. Therefore, the sources of personal information must be considered, and steps must be taken to ensure the quality and accuracy of personal information received. Steps must also be taken to ensure that personal information being processed is updated regularly to maintain the quality of that information.
Openness: this condition requires openness and transparency regarding how and why personal information is being collected and processed. POPIA sets out certain notification requirements that the data subject should be made aware of at the point of collecting personal information, which includes, among other things, who will be collecting and processing the personal information, the purpose for which the information is being collected, the consequences of failure to provide the information as well as the intention to transfer personal information outside of South Africa and the level of data protection that will be afforded to that personal information while being processed cross-border.
Security safeguards: this condition requires that personal information be treated as confidential, be stored and processed in a secure manner and be protected against unauthorised use, access, disclosure and loss. It requires that security safeguards be implemented in a business to secure the personal information and to prevent a breach of that personal information. POPIA also contains an obligation to notify both the Information Regulator and affected data subjects where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person.
Data subject participation: the data subject must be provided with the opportunity to participate in how their personal information is used and processed and to maintain control over their own personal information through, among other things, facilitating their right to access their own information and affording them the right to request the correction or deletion of their personal information or object to the processing of their personal information.
Non-compliance with POPIA will, in addition to a large risk of reputational damage, carry a hefty penalty in the form of administrative fines of up to R10 million, or imprisonment of up to 10 years, or both, depending on the seriousness of the infringement. It is therefore imperative that businesses put the necessary measures in place to become compliant with POPIA and to maintain that compliance.
With many people working from home, the need for adequate security measures must be explored. It is notable that employees, while working from home, remain personally responsible for maintaining their company’s privacy obligations, such as compliance with POPIA. Companies have mostly invested in the protection of information flowing in and out of their business, but this does not always extend to employees who are working remotely. Employers must seek to protect their businesses from security breaches or non-compliance by installing adequate monitoring or security tools which can extend to employees working from home. Employee training on the importance of compliance with POPIA and the security measures implemented by the business is also a crucial aspect of achieving compliance.
For many businesses, POPIA compliance is unknown territory as it introduces regulatory changes that will have a substantial impact on how a business uses and processes personal information throughout the entire data life cycle, from collection to destruction. POPIA has an effect on business practices, processes, policies, documentation, and agreements in almost every industry. The complexities and far-reaching implications of POPIA demonstrate a need for comprehensive compliance across all facets of a business.
Our Corporate Commercial team is well placed to take clients through their entire data privacy compliance journey, providing training and awareness, data privacy gap assessments, legal advice around POPIA compliance measures and planning for implementation, and drafting privacy-related documents, policies and agreements. Contact our Corporate Commercial team for more information on how we can guide and assist you with effectively incorporating and implementing POPIA into your business.
 Defined in section 1 of POPIA as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
Lawtons Africa is a South African law firm. With roots that grew out of seeds sown in down-town Johannesburg in 1892, our history features various changes and different names. Our team of lawyers, including directors, consultants, associates and candidate attorneys is highly qualified, market-recognised and skilled. For further information, visit www.lawtonsafrica.com