The A-Z of the POPI Act

The Protection of Personal Information (POPI) Act came into full effect on the 1st of July 2021. If you still haven’t implemented your POPI compliance strategy, it is strongly advisable that you take quick and decisive steps to do so as non-compliance could carry hefty penalties. To ensure that you get your (POPI) act together, we’ve put together a handy list of A-Z* terms that you should consider in your quest for information protection.

A – Accountability: One of the 8 conditions for processing personal information, which governs that both the means and the purpose thereof must be determined before processing can take place.

B – Big data: With modern data-practices where large quantities of information are constantly being processed in a short time, you will need to ensure that you have infrastructure in place to deal with these kinds of large-scale processes lawfully.

C – Consent: You need to provide your data subjects with enough information for them to make an informed decision on whether you may process their personal information. They may only be approached for consent once.

D – Data Subject: The legal persons/entities whose information you collect and process are called data subjects.

E – Eradication: When information is no longer used for the purpose it was collected, you will need to dispose of that information without a way to recover it.

F – Freedom: While POPI does restrict the liberty with which businesses have been processing data in the past, it is in fact aimed at rectifying the lack of freedom and privacy data subjects have been forced to deal with for much too long.

G – GDPR: The GDPR (General Data Protection Regulation) is the EU’s data protection law and is similar to POPI in many ways. Be sure to understand by which jurisdiction your data is regulated.

H – How: According to the POPI Act, the manner in which you process personal information must be pre-determined and communicated clearly to your data subjects.

I – Information officer: Every business should appoint someone to handle their data processes and take responsibility for ensuring compliance with the POPI Act.

J – July 2021: The POPI Act is lawfully enforceable from the 1st of July 2021.

L – Limitations on Processing: A variety of limits exist on the processing of personal information, including obtaining it from the data subject, gaining of consent, scope (you cannot collect excessive data), and more.

M – Marketing: POPI has a significant effect on marketing practices. And as such, traditional ‘grey areas’ in the processing and use of personal information are now much more ‘black and white’.

N – Notice: You must provide your data subjects with a notice of how their information is collected, processed, used and disposed of, as well as what the purpose of that information is.

O – Openness: The data subjects must always be able to access their data, be able to see what data you possess, and be able to make changes to their data.

P – Penalties and fines: Non-compliance is prosecutable, with fines of up to R 10 000 000 and imprisonment of up to 10 years.

Q – Quality of information: Personal information must always be kept accurate, complete, and up to date.

R – Regulator: South Africa has an Information Regulator who is empowered to monitor and enforce compliance to the POPI Act. It is an independent regulatory authority.

S – Security: As a condition for processing personal information, you are required to take all reasonable measures to ensure that the information of your data subjects is protected, secured, and encrypted.

T – Third-party processing: Your data subjects have to consent to the use of their information by third-parties and the details thereof must be clearly outlined before you collect their personal data.

U – Unsubscribe: Where you previously might have gotten away with sending unsolicited communication with the option to unsubscribe, now you will need to ensure that your data subjects opt in for communication.

V – Veracity: All the data you process must be accurate, and it is your responsibility to ensure that you update your databases regularly.

W – Why: The purpose for which you collect and process personal information must be clearly defined and communicated to data subjects.

Y – Yearly review: You will need to regularly review your POPI plan and ensure that your processing standards remain up to date. Therefore, it is advisable to review your data systems and POPI protocols at least once a year.

Z – Zero Trust (ZT) Architecture: As a security measure some companies have implemented ZT Architecture, which ensures that the authority and access to data is checked at every point of access and not just trusted because of the network through which it moves. This is not a requirement of POPI.

*Please note there are no entries for K or X.

To ensure that you have everything in place to protect yourself (as an information processor) and your data subjects (whose sensitive data you collect) with regard to the POPI Act, please get in touch with your trusted advisor.

This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your adviser for specific and detailed advice. Errors and omissions excepted (E&OE)