POPI comes into effect on 1 July 2021 – What you need to know

All businesses with employees, customers and suppliers must comply with the Protection of Personal Information Act (often called the POPI Act or POPIA) which comes into effect on 1 July 2021.

POPI to come into effect this July

Wendy Tembedza from Webber Wentzel recently shared a nifty practical guide on this act in order to get the most important aspects across on Moneyweb.

Wendy writes that businesses should review their use of personal information to determine if it complies with the act now.

“It is important to understand that any business that has employees, customers and suppliers must comply with POPI when dealing with personal information,” she wrote.

How to kick-start your compliance exercise

Figure out what personal information you process and why

Under POPI, a business must be able to justify why it holds personal information based on one of the several justifications set out in POPI.  This is a good opportunity for a business to assess what information it collects (whether from employees, customers, services providers or other third parties such as credit bureaus) and review whether that information is actually necessary for the purposes for which it was collected. 

Get rid of what you do not need

Under POPI, a business cannot keep a record of personal information once the reason for which it was collected no longer exists, unless required by law.  For example, unless required by law, a business should not keep personal information of any former supplier when the relationship has ended.  Businesses should therefore check whether they are holding onto any old records of personal information that they no longer need and dispose of them in a secure manner.

Look at security

Correct management of personal information means appropriate security must be in place to protect it. POPI requires a business to put in place “appropriate, reasonable technical and organisational measures” to prevent loss, theft, or damage to personal information.  The suitability of security measures will depend on the business and the type of personal information it holds.

Get consent before sending marketing material

Opt-out marketing emails and SMSs are a thing of the past under POPI. Unless a person is an existing customer, a business cannot send him or her marketing emails or SMSs without first getting consent from the person. 

Go for the easy wins

POPI compliance may seem like a daunting task but there are some “easy wins” when it comes to compliance. Basic documents used by the business will likely need updating for POPI compliance. These include company privacy policies and employee and supplier contracts. All these documents should aid the business in proving its compliance with POPI.

The purpose of this act

According to POPIA website, the purpose of this act is to —

1. give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at — balancing the right to privacy against other rights, particularly the right of access to information; and protecting important interests, including the free flow of information within the Republic and across international borders;
   
2. regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
   
3. provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this act; and
   
4. establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this act.