On the 1st of July 2020, the Protection of Personal Information Act, 2013, POPI for short came into force. But what is the Popi Act? And how does it affect me?
What is POPI?
POPI is South Africa’s data privacy law. It stands for the Protection of Personal Information Act, 2013. It is also referred to as POPIA. It governs how and when organizations collect, use, store, delete and handle personal information.
What is considered personal information under POPI?
Generally speaking, personal information is considered any information that can be used to personally identify a natural person or juristic, in other words, an organization. This information would include, names, identity numbers, ages, and addresses.
Who does POPI apply to?
POPI applies to all local and foreign organizations who process personal information in South Africa, in other words, anyone who is collecting, using, or otherwise handling personal information.
What does this announcement mean for my organization?
You will have 12 months from 1 July 2020 to become compliant. This means, although there will be no sanctions for non-compliance, you need to work towards compliance. For most organizations, this will be no easy task. It will require an analysis of all personal information in your organization, where you get it from, and what you are doing with it.
It is recommended that organizations work towards compliance sooner rather than later, as they can face penalties and fines and adverse consequences in the future. Now is a good time to instill a data privacy awareness program within your organization.
What does POPI compliance entail?
You will have to establish measures that ensure the collection, usage, storage, deletion, and handling of personal information is done in the permitted ways, and that is appropriately protected from unauthorized access or loss.
These measures will differ from each organization, but in practice, it means a culture of data protection will be cultivated.
Does POPI provide any benefit to your business?
POPI provides the opportunity to analyze and have more control over the data that is handled in your organization. Better data management effectively leads to efficiency and effectiveness.
What does POPI mean to the consumer?
Consumers will benefit from POPI’s requirements that their personal information must be protected and that it can only be handled and collected where there is a lawful justification for it.
It gives the consumer specific rights with respect to how organizations handle their information and it gives them more control over their personal information. Consumers are informed about what information is collected, by who, and why, so they can make an informed decision.
Who regulates POPI?
It is regulated by the Information Regulator.
What are the fines for non-compliance?
The fines and penalties will vary depending on the offense. With a maximum of 10 years in prison or an R10 million fine.
Does POPI add anything to my constitutional right to privacy?
Every person has a constitutional right to privacy, which has many aspects (including privacy in the home, private communications, and private information about a person).
POPI gives practical effect to that right insofar as it relates to personal information handled by organizations. It provides a direct mechanism through which that aspect of the right can be enforced.
Is POPI different from the GDPR?
POPI is similar to the EU’s data privacy law, called the General Data Protection Regulation but it differs in some respects. The main difference is that POPI regulates corporate personal information, where appropriate, whereas the GDPR does not.