Emergency: 0861 222 250 info@orchidrisk.co.za
The Protection of Personal Information Act (POPI), which has been on the cards since 2014, is nearing full implementation following the President’s 22 June 2020 announcement of the commencement of additional sections of the act. According to the Presidency, the act “gives effect to section 14 of the Constitution which provides that everyone has the right to privacy”. Its various sections ensure the protection of personal information that is processed by public and private bodies and seeks to balance the right to privacy against other rights, such as access to information. The President proclaimed sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2), and (3) on 1 July 2020.

 

You have 12 months to comply

“These are essential parts of the act and comprise sections which pertain to, amongst others, the conditions for the lawful processing of personal information; the regulation of the processing of special personal information; Codes of Conduct issued by the Information Regulator; procedures for dealing with complaints; provisions regulating direct marketing by means of unsolicited electronic communication; and general enforcement of the act,” notes the Presidency, in a statement to mark the proclamation. They made special reference to section 114(1), which requires that “all forms of processing of personal information must, within one year after the commencement of the section, be made to conform to the act”. The latest proclamation means that entities will have until 1 July 2021 to ensure full compliance with these sections of the act.

 

POPI is a data privacy law that governs when and how organisations collect, use, store, delete, and otherwise handle personal information. “Generally speaking, personal information is any information that can be used to personally identify a natural or juristic person, including names, identity numbers, age, and addresses,” writes Herbert Smith Freehills South Africa LLP, in a press release issued 22 June. They add that POPI is similar to the European Union’s data privacy law, called the General Data Protection Regulation (GDPR). One of the key differences between these laws is that the former regulates corporate personal information, where appropriate, whereas the GDPR does not.

 

Customers ‘own’ their data

Stakeholders in the financial services sector have been painfully aware of the POPI Act and its various provisions because consumer information is at the heart of the banking, insurance, investment, and savings sectors. Financial advisers, insurance brokers, and product providers have been preparing their business processes and data storage since POPI was signed into law by then-President Jacob Zuma, in November 2013. Sections of the act were implemented as early as April 2014. It is hoped that POPI will, once and for all settle the dispute between intermediaries and financial services providers as to who owns the customer’s data. Clearly the customer owns his or her data; any stakeholders use this data at the customers’ discretion.

 

Sections 110 and 114(4) of the POPI Act will only commence on 30 June 2021. According to the Presidency these sections pertain to the amendment of laws and the effective transfer of functions set out in the Promotion of Access to Information Act (PAIA) from the South African Human Rights Commission to the Information Regulator. “In this regard, the Commission must finalise or conclude its functions referred to in sections 83 and 84 of PAIA, and all mechanisms must be in place for the Information Regulator to take over these functions,” writes the Presidency. The Information Regulator, established in 2016, published its final POPI regulations on 14 December  2018.

 

Ahmore Burger-Smidt, director at Werksmans Attorneys, discussed some of these regulations in a Business Report Online article, dated 24 December 2018. She observed that the regulations enabled a data subject (your client, for example) to object to the processing of their personal information; to request the correction, deletion, or destruction of their personal information; and to lodge complaints with the Information Regulator. She added that companies would have to appoint an information officer to develop, implement, maintain, and monitor a compliance framework; conduct a personal information impact assessment; and ensure that adequate measures and standards exist for compliance, among other requirements. They should also develop a manual per sections 14 and 51 of PAIA and implement various internal measures to process requests for information.

 

Some interpretation required

Around the same time, law firm Michalsons lamented that the POPI regulations provided little practical guidance insofar compliance with the act. They said there were no clear controls and the accountability remained with the responsible party to apply the conditions to their circumstances. “This is very much in line with what we have been saying for years; the regulations are not going to substantially change what you must comply with,” they wrote.

 

What does the 2020 proclamation mean? Herbert Smith Freehills said that organisations will have 12 months from 1 July 2020 to ensure compliance. “Compliance is no easy feat as it requires an analysis of all personal information within your organisation, where you get it from, and what you do with it,” they wrote. They urged organisations that have not yet started implementing POPI to do so as soon as possible or they could face fines, penalties, and other adverse consequences. Compliance requires that you “establish measures that ensure that you only collect, use, store, delete, and otherwise handle personal information in permitted ways and that it is appropriately protected from unauthorised access or loss”.

 

Big data is the future

Many organisations have already welcomed POPI as an opportunity to conduct extensive reviews of their data usage, in growing realisation of the importance of data and big data through the so-called fourth industrial revolution. “Consumers will benefit from POPI’s requirements that their personal information must be protected and that it can only be collected or handled where there is a lawful justification for doing so,” noted Herbert Smith Freehills. Consumers now enjoy specific rights in respect of how organisations handle their personal information, giving them greater control. “Entities that process personal information must ensure that it is done in a lawful way,” concludes the Presidency. “The act is fundamental in safeguarding persons’ personal information and thus protecting them against data breaches and theft of personal information”.

 

Photo by ev on Unsplash / Article by www.fanews.co.za