The POPI Act was enacted in 2013, but has yet to be put into practice in South Africa. Its impending implementation has sent many business owners and marketers into a frenzy to ensure that their practices do not contradict the Act.
To make sure you are 100% ready for the implementation, media update’s
Aisling McCarthy answers some of the most frequently asked questions about the POPI Act.Here they are:
QUESTION 1: What is the POPI Act all about?
The POPI Act
aims to encourage the protection of personal information that is processed by both public and private bodies. To do this, the Act will introduce certain conditions that will establish the minimum requirements that businesses must comply with when processing personal information.
The Act also is aimed at providing rights to people when it comes to unsolicited electronic communications.
Basically, it’s a code of conduct that all businesses must comply with.
QUESTION 2: When will the Act be implemented?
Now here’s a question that has been asked again and again — and the answer seems to keep changing. Since the Act was signed into law on 19 November 2013, people have been asking when the Act will come into place. In a briefing on 13 February 2017
, advocate Pansy Tlakula (the appointed chairperson of the Information Regulator) said that the majority of the provisions of the POPI Act would only come into operation once the Regulator was fully operational. It was expected that the Regulator would be up and running around December 2018.
While the Act hasn’t been implemented just yet, it’s fair to assume that it will be
some time this year. Once the Act is in place, parties will be given a one-year transition period to comply — but the roll-out of a comprehensive POPI compliance plan can take between six months and two years to finalise. So if you haven’t already — you’d best start working on it!
QUESTION 3: What counts as ‘personal information’?
In terms of the Act, personal information is data that can be used to identify a person. It is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.”
This information about a person includes, but is not limited to:
- Marital status
- National / ethnic / social origin
- Sexual orientation
- Physical or mental health
- Religion / beliefs / culture
- Educational / medical / financial / criminal or employment history
- ID number
- Email address
- Physical address
- Telephone number
- Biometric information
- Personal opinions, views or preferences
QUESTION 4: Who will the POPI Act affect?
Put simply — just about everyone.
All companies will be affected by the Act, but in particular, companies that deal with a large amount of personal information — think banks, insurance companies, medical aids, etc.
companies need to have systems in place to deal with personal information. Plus, the POPI Act also has guidelines about direct marketing — so any brand sending messages or emails to consumers without them opting in, beware!
QUESTION 5: How will the POPI Act affect my business?
Firstly, it will affect the way you manage information. You’ll need to classify any consumer data that you hold and identify whether it constitutes as ‘personal information’. You’ll also be required to identify any ‘records’ and ‘sensitive’ information you might hold — remember that there is different criteria for handling personal information and non-personal information.
It will also affect the way you notify stakeholders. Third parties will have to be notified as soon as possible if there is a privacy breach and personal information is compromised.
QUESTION 6: Why should I comply with the Act?
Well, for starters — it’s the law.
Also, there are other benefits to complying with the Act. According to POPI.biz
, consumer studies have shown that in 90% of cases, consumers would rather do business with companies that are transparent and comply with legislation than any other business
. Let that sink in.
QUESTION 7: Isn’t the POPI Act the same thing as the GDPR?
Sort of, but not really. It’s best to think of them as different flavours of the same thing. Pretty much, if you’re GDPR— (that’s General Data Protection Regulation, for those of you living under a rock) compliant — you’re pretty much POPI-compliant.
They are similar in some ways. Namely, they both lay down the law for processing and storing personal information and the rules for notifying third parties if there are security breaches.
However, they are different in the sense that the security regulations differ slightly, as follows:GDPR
: “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security and appropriate to risks represented by the processing and the nature of the personal data to be protected.”POPI
: “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures.”
Further, the penalties for a breach of each differs, with a breach under the GDPR can be a fine of up to four percent of annual global turnover or €20-million, whichever is greater. This kind of fine would cripple most South African companies.
QUESTION 8: Post-POPI, do marketers need to get permission to contact consumers already on their direct mailing lists?
In a previous media update
article, Elizabeth De Stadler — founding director of the consumer and data protection consultancy Novation Consulting — answered this with a resounding ‘No’.
“If the marketer got permission, they’re golden. If a marketer told me when they collected my information that they are going to use it to send me specials, then gave me the opportunity to unsubscribe every time I got the email — there is that unsubscribe at the bottom — then they’re also fine.”
“If you’ve been emailing me for 10 years and I haven’t said anything, then there is this soft opt-in concept. So, to answer your question, yes and no. The marketers that behaved in an ethical way will be able to continue to market to their lists,” she said.
QUESTION 9: What happens if I don’t comply with the Act?
For starters, any person can be guilty of an offence (in regards to the Act) if they:
- Hinder, obstruct or unlawfully influence the Regulator
- Fail to comply with an enforcement notice
- Fail to attend hearings — or lie under oath at a hearing
- Act unlawfully in connection with account numbers (even if they are a third party)
Now that you know exactly what will get you in trouble, here’s what you could be in for:For more serious offences
the maximum penalties are a R10-million fine, or imprisonment for a period of up to 10 years — or a combination of both. YIKES
.For less serious offences,
like hindering an official trying to execute a search and seizure warrant, the maximum penalty would be a fine, imprisonment for up to 12 months or a combination of the two.
QUESTION 10: Is there other legislation in SA that regulates privacy?
While POPI is expected to be the primary legislation when it comes to dealing with the protection of information, it certainly won’t be the only one.
Other Acts regarding the protection of personal information will have to comply with the principles set out in the POPI Act. This means that all existing legislation
will have to be amended to ensure compatibility.According the South African Law Commission
, which drafted the POPI Act, the biggest changes in regards to other Acts will be as follows:
Are there any other questions about the POPI Act you’d like us to answer? Let us know in the comments section below.
- The Electronic Communications and Transactions Act’s privacy provisions will fall away (where there are duplications of POPI).
- The Promotions of Access to Information Act will see all sections dealing with a person’s own personal information fall away and be dealt with in POPI.
- The National Credit Act and Consumer Protection Act will be amended and see all sections dealing with privacy removed and dealt with in POPI.
Now that you know a little more about the Act, why not check out this POPI Act glossary of terms to make sure you fully understand it.