South Africa’s Protection of Personal Information Act (POPIA) finally came into full force on 1 July 2020 except for two provisions, sections 110 and 114(4), which will only commence on 30 June 2021. While the Act has been put into operation incrementally since April 2014, there is still much uncertainty regarding what is expected from companies to ensure compliance.
The operational provisions which commenced on 1 July 2020 are:
- The eight conditions of lawful processing.
- The appointment and obligations of the information officer.
- Rights of individuals regarding direct marketing through unsolicited electronic communications and automated decision making.
- Provisions regarding the transfer of personal information outside of South Africa.
- Enforcement provisions; and
- Offences, penalties, and administrative fines.
There will be a 12-month transition period where both public and private bodies should make use of to get compliant.
What Can I Do to Get POPI Compliant?
Technical Measures
There are various ways to ensure the safety of personal information. At the highest level, these include de-identification where you scrub personal information of all identifiers, pseudonymization (swapping out identifying details in a set of personal information, which can then be re-identified concerning additional information, stored separately) and encryption which means scrambling of contents through mathematical techniques.
Reconsider Your Direct Marketing Methods
Chapter 8 of the POPI Act sets out the conditions under which you may send personalized marketing communication. The recipient of marketing communications must either:
- Give their consent, or
- Be an existing customer.
In either case, there must be a clear way to withdraw from receiving marketing communications. This could be, for example, an unsubscribe link in an email.
Get the Necessary Consent from Your Clients
The POPI Act defines consent as a “voluntary, specific and informed expression of will”. This means that every person you gather information from which you intend on using in future needs to give his / her consent for that use by opting in or subscribing. You are not allowed to assume that someone consented. Furthermore, the request to subscribe to receiving communication needs to be separate from other requests and you should explain clearly beforehand what the implications of their consent mean. Present a link to your Privacy Policy at the point of collecting any personal information.
Treat Existing Customers Fairly
Companies store and handle lots of personal information. Make sure that you know where that information is stored, where it is generated and how it is used.
You do not need consent to send direct marketing to your existing customers, so long as:
- You received their contact details in the context of making a sale,
- You are marketing something relevant to a product or service they have already bought, and
- You offer the person a clear means to opt-out.
Create A Private Policy and Other Consent Documents
The general purpose of a Privacy Policy is to inform users exactly which personal information is gathered by your site or mobile app, how it is used, and how it is protected. It should be explained in clear language and be accessible through your company’s website.
Appoint A Designated Information Officer
The POPI Act requires companies to appoint a designated information officer and have the appointment approved by the head of the company. This person should ensure compliance with the POPI Act, deal with data subject rights requests and work with the Information Regulator.
You need to know and understand the impact of POPIA on your specific organisation so that you can decide what the next best steps are. Complying with POPIA is not a case of one size fits all. Different organisations need to take different actions to comply. Make sure you gather as much information as possible to ensure you are compliant.