This handy checklist provides a proven step-by-step -action-point approach to compliance.

POPI or POPIA – understanding the difference

Protection of Personal Information (POPI) isn’t new in South Africa.  The Protection of Personal Information Bill was around in 2009, which meant that the discussion had been going on for years before that.  We became used to talking about POPI, and the Information Regulator is now prefering to use the term POPIA, or POPI Act. 

Is there a difference?

What is POPI?

POPI stands for Protection of Personal Information.  Regardless of whether there is a law or not, organisations should be considering what Personal Information they capture, manage and store, and how best to secure this.  It make common, logical sense that this information is sensitive, and shouldn’t be exposed.

  One of the principles that we all should consider is “privacy by design”.  This means that we should consider privacy implications in all our processes and systems, and build security and privacy concepts into the day-to-day operation of our organisations. POPI is all about Privacy, and this means security. 

In order to secure information, organisations need to clearly understand what information is gathered and kept.  This is going to require a detailed investigation and shouldn’t be seen as a trivial exercise.  Once understood, steps need to be taken to protect the information.

What is POPIA?

POPIA stands for the Protection of Personal Information Act, Act No. 4 of 2013 or POPI Act.  This is the new law and is something that most (if not all organisations) will need to follow.  Is there a difference between POPI and POPIA?  Yes and no. 

POPI is the act of protecting Personal Information.  This implies that all the policies, procedures, processes and practices in the organisation relating to personal information, are in fact doing POPI.  You cannot “do” POPIA, as this is merely the name of the law. In summary, in order to comply with POPIA, you need to implement a POPI programme. 

In order to implement, there are a number of steps which need to be followed and a number of documents and instruments which need to be developed.   We’ll be documenting these as things progress.  Join our mailing list to  keep up to date with latest POPIA developments.

Purpose of the Act

The increasing cases of theft and misuse of people’s personal information has led to the need to promulgate regulations to protect personal information and one’s right to privacy.

The POPI Act sets out the minimum standards regarding accessing and ‘processing’ of any personal information belonging to another. The Act defines ‘processing’ as collecting, receiving, recording, organizing, retrieving, or the use, distribution or sharing of any such information.

The POPI Act (POPIA) was signed into law in November 2013 and the remaining provisions of the Act were due to come into effect on 1 April 2020, however given the current Covid-19 pandemic and emergency need to redeploy efforts, these were delayed.

On 22 June 2020

The President issued a Proclamation on 22 June 2020, commencing some sections of the POPI Act which came into effect on 1 July 2020, namely sections 2 to 38, 55 to 109, 111 and 114(1), (2) and (3). These sections largely deal with the application and exclusion provisions, the lawful processing of personal information and respective exemptions, the Information Officer, prior authorization, codes of conduct and provisions regulating direct marketing. Sections 110 and 114(4) are due to come into effect on 30 June 2021.

Defining personal information

Personal information is any information that may identify a person such as a name, surname, identity number, contact number, email address, religion, medical history, education, financial or any other information that is unique to an individual.

This checklist provides a step-by-step guide for businesses to comply with POPIA. The checklist is not exhaustive, and businesses should consult with a legal advisor to ensure that they are fully compliant with the Act.

Step 1: Appoint a Data Protection Officer (DPO)
If your business processes personal information on a large scale or in a sensitive manner, you are required to appoint a DPO. The DPO is responsible for overseeing your business’s compliance with POPIA.

Step 2: Implement security measures
You must implement appropriate security measures to protect personal information from unauthorized access, use, disclosure, or destruction. These measures should be proportionate to the sensitivity of the personal information that you process.

Step 3: Obtain consent
You must obtain consent from individuals before you collect, process, or use their personal information. Consent can be express or implied. Express consent is given when an individual explicitly agrees to the processing of their personal information. Implied consent is given when an individual’s actions indicate that they consent to the processing of their personal information.

Step 4: Provide information to data subjects
You must provide individuals with certain information about the processing of their personal information. This information includes the purpose for processing the information, the categories of personal information that will be processed, and the recipients of the information.

Step 5: Allow data subjects to access their personal information
Data subjects have the right to request access to their personal information. You must provide data subjects with a copy of their personal information within 30 days of receiving their request.

Step 6: Allow data subjects to correct or delete their personal information
Data subjects have the right to correct or delete their personal information if it is inaccurate or incomplete. You must correct or delete the information within 30 days of receiving their request.

Step 7: Report data breaches
If you experience a data breach, you must report it to the Information Regulator within 72 hours of becoming aware of the breach. You must also notify the affected data subjects.

Step 8: Conduct regular audits
You must conduct regular audits to ensure that your business is compliant with POPIA. These audits should be conducted by a qualified professional.

By following the steps in this checklist, you can help to ensure that your business is compliant with POPIA. POPIA is a complex law, and businesses should consult with a legal advisor to ensure that they are fully compliant with the Act.