Why do we need the Protection of Personal Information Act?
Essentially, the purpose of the Protection of Personal Information Act (POPIA) is to protect people from harm by protecting their personal information. To stop their money being stolen, to stop their identity being stolen, and generally to protect their privacy, which is a fundamental human right.
To achieve this, the POPIA sets conditions for when it is lawful for someone to process someone else’s personal information. From 1 July 2021, the substantive implementation of key provisions of the POPIA will finally become enforceable. This legislation, among other things, promotes the protection of personal information processed by public and private bodies, introduces minimum requirements for the processing of personal information, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for violations of the law.
Any natural or juristic person who processes personal information, including large corporates and government must comply. The data protection laws of many other countries exempt SMEs, but not currently in South Africa.
What are the penalties for non-compliance?
There are essentially two legal penalties or consequences for the responsible party:
- A fine or imprisonment of between R1 million and R10 million or one to ten years in jail.
- Paying compensation to data subjects for the damage they have suffered.
It is very unlikely that anyone will go to jail and the fines are small compared to other jurisdictions.
The other penalties include:
- Reputation damage
- Losing customers (and employees)
- Failing to attract new customers
But your main motivation for complying with the POPIA should be to protect people from harm.
Our POPI services
Erasmus Botha Inc is a legal practice that specialises in Administrative Law and Commercial legal advisory services. Our POPIA compliance services seeks to assist businesses with a heat map to check its compliance levels and areas of risk relating to POPIA compliance and assist in expediting the POPIA compliance process.
Type of POPI services we offer:
|POPI introduction and training which includes, inter alia; |
An introduction to the rationale underpinning the concepts in the POPI.
Key terms and definitions to identify various stakeholders.
The 8 (eight) conditions for processing personal information.
The importance of implementing security safeguards.
The rights of data subjects vis-à-vis the obligations of responsible parties.
Conditions for the lawful processing of personal information.
Exclusions and exemptions to POPIA.
Special personal information and exemptions.
Enforcement Mechanisms, offences, penalties and administrative fines.
|POPI compliance audit. A comprehensive audit and checklist assessment, which includes inter alia; |
Have you completed your data processing and protection due diligence and impact assessments?
Have you secured valid consents to use the data of your data subjects?
Have you entered into a contract with service providers who process your customers’ personal information to ensure they are POPIA compliant?
Have you appointed an information officer?
Do you know how to address data processing operations that trigger material data protection risks?
Do you know what to do if you experience a data breach?
Are you able to prove you are POPIA compliant?
Are privacy rules now embedded in your technology and business practices?
For cross-border transfers, do you know how to transfer and process personal data of EU residents, and are you able to transfer personal data from Africa to the EU?
Have you identified and engaged with lead supervisory authorities regarding privacy law in all the jurisdictions in which you operate?
Have you considered privacy law enforcement and sanctions – both in terms of hefty monetary fines and reputational disasters?
|POPI report and legal document checklist and drafting. Once we have determined your compliance shortfalls, we will assist with, inter alia; |
Appoint an Information Officer.
Raise awareness amongst all employees.
Amend contracts with operators.
Report data breaches to the regulator and data subjects.
Check that they can lawfully transfer personal information to other countries.
Only share personal information when they are lawfully able to.
Document drafting, training and implementation.
If you are interested to instruct us to assist with your POPAI compliance, or have any business legal enquiries, you are welcome to connect with Director, Yolandi Erasmus, on [email protected] or 079 528 5087.