PoPI commencement date announced – here's what you need to know
President Cyril Ramaphosa has finally announced that the operative provisions of the Protection of Personal Information (PoPI) Act, 2013 will come into force on July 1.
What is PoPI?
PoPI is South Africa's data privacy law and it stands for the Protection of Personal Information Act, 2013. It is sometimes also referred to as PoPIA. It governs when and how organisations collect, use, store, delete and otherwise handle personal information.
What is personal information under PoPI?
Generally speaking, personal information is any information that can be used to personally identify a natural or juristic (i.e. organisations) person. This includes name, identity number, age and addresses.
Who does PoPI apply to?
PoPI applies to all local and foreign organisations processing (i.e. collecting, using or otherwise handling) personal information in South Africa.
What does this announcement mean for your organisation?
You will have 12 months from July 1 to become compliant. This means that although there will be no sanctions for non-compliance, you must work towards compliance. For most organisations, this is no easy feat as it requires an analysis of all personal information within your organisation, where you get it from and what you do with it. We recommend that organisations that have not yet started becoming compliant, do so as soon as possible or they could face fines, penalties and other adverse consequences in future. It is also a good time to commence a data privacy awareness programme within your organisation.
What is PoPI compliance?
You will need to establish measures that ensure that you only collect, use, store, delete and otherwise handle personal information in permitted ways and that it is appropriately protected from unauthorised access or loss. The measures that each organisation employs will be different but in practice, it will mean more policies and procedures for your organisation and you will need to inculcate a culture of data protection in your organisation.
Does PoPI provide any benefit to businesses?
PoPI provides the opportunity to analyse and have more control over the data handled within your organisation and to better understand its purposes. As data is an increasingly valuable resource, better data management can increase the efficiency and effectiveness of any business.
What does PoPI mean for consumers?
Consumers will benefit from PoPI's requirements that their personal information must be protected and that it can only be collected or handled where there is a lawful justification for doing so. PoPI gives consumers specific rights in respect of organisations handling their personal information and it gives consumers greater control over their personal information. Consumers are informed about what personal information is collected, by who and why so that consumers can make informed decisions.
Who regulates PoPI?
PoPI is regulated by the Information Regulator.
What are the fines and penalties for non-compliance?
The fines and penalties vary depending on the offence, with a maximum of 10 years in prison or an R10 million fine.
Does PoPI add anything to my constitutional right to privacy?
Every person has a constitutional right to privacy, which has many aspects (including privacy in the home, private communications and private information about a person). PoPI gives practical effect to that right insofar as it relates to personal information handled by organisations. It provides a direct mechanism through which that aspect of the right can be enforced.
Is PoPI different from the GDPR?
PoPI is like the EU's data privacy law, called the General Data Protection Regulation but it differs in some respects. The main difference is that PoPI regulates corporate personal information, where appropriate, whereas the GDPR does not.
Content supplied by Herbert Smith Freehills South Africa.