Skip to main content

POPIA: Its Impact on Businesses and Benefits to Individuals

Living in the information age, data has commonly been considered a valuable asset. To avoid the exploitation of information at the expense of individuals the Protection of Personal Information Act 4 of 2013 (‘‘POPIA’’) was enacted.

Although the POPIA was signed into law in 2013, only a few limited sections pertaining to the Act’s definitions, the Information Regulator, and the Regulations are in force. In preparation for the commencement of POPIA, it is imperative that all parties affected are aware of their rights and obligations.

POPIA regulates South African institutions and the manner in which they collect, store, process, disseminate, and delete information. For purposes of POPIA, a responsible party refers to any body or person who determines the purpose of, and methods for, processing personal information and a data subject refers to the person to whom personal information relates.

POPIA’S Benefits for Individuals

POPIA functions to protect the personal information of the average citizen as the data subject. 

Let us have a look at some of the new data subject rights which POPIA creates: 

1) The right to know who collects your information

Data subjects have the right to be informed if any institution or individual is collecting their personal information, or if their personal information has been accessed by any unauthorised persons. 

2) The right to access your information

Data subjects have the right to access their personal information in the possession of a responsible party. Data subject’s may request that the responsible party confirm their possession of your information, provide a description of the information they possess and a disclosure of any third parties who have had access to their information.

3) The right to request the correction or the deletion of information

Data subjects may request an entity to correct or delete information which is inaccurate, irrelevant, excessive, out of date, misleading, incomplete or was obtained unlawfully. Responsible parties can refuse such a request, but such a refusal must be explained.

4) The right to object to the processing of information

Data subjects have the right to reasonably object to the processing of their personal information.

5) The right to complain or enquire the compromising of personal information

The data subject may submit an inquiry or complaint to the Information Regulator if they suspect any interference with the protection of personal information of any data subject.

6) The right to refuse direct marketing

If you are a potential or new customer, an institution must obtain your consent prior to them sending you direct marketing communications. They must ask you to confirm how you want to receive the communication, for example via email or SMS, and for which goods or services. They may only contact you once to obtain your consent. If you deny consent, they may not contact you again regarding same. If you are an existing customer with the company, they may market similar goods or services to you until you opt-out.

POPIA’S Impact on Businesses

An institution’s non-compliance with POPIA may result in severe penalties including a fine or imprisonment of between R1 million and R10 million or one to ten years in jail.

POPIA provides eight minimum conditions for businesses to comply with. 

The eight conditions are as follows: 

1) Accountability: Responsible parties must ensure that POPIA is complied with.

2) Processing limitation: Processing of personal information must be done lawfully and in a manner which does not infringe a data subject’s privacy. Information can only be processed if the processing is adequate, relevant and not excessive.

3) Purpose specification: Personal information must only be collected for a particular purpose and the data subject must be aware of the purpose of collection. In addition, records must not be retained for longer than necessary to achieve the purpose for which it was collected and/or processed for.

4) Further processing limitation: Further processing of the personal information must be compatible with the purpose of its collection.

5) Information quality: Responsible parties must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated whenever necessary whilst taking into consideration the purpose for which the information was initially collected.

6) Openness: Responsible parties must ensure that the data subject is aware of the information being collected and the purpose of collection.

7) Security Safeguards: Responsible parties must not compromise the integrity and confidentiality of personal information in its possession or under its control. They should undertake risk management and take steps to identify any threats.

8) Data subject participation: The data subject can determine whether a responsible party holds their private information, and what information is held. They may also request the correction or deletion of information which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

Should you, as an individual or business, require additional information or guidance in respect of POPIA, please contact our offices and we will gladly assist. 

Prepared by Sherianne Pillay

Comments

Post a Comment

Popular posts from this blog

Directorship, Employment or Both?

When one considers the relationship between directorship and employment, various unseen issues can arise.   One of the major aspects, that few business owners consider, is that a Director is also an employee, and therefore the laws that govern such an employee will also govern the Director in his or her capacity as an employee. This creates complications that are often overlooked. The central issue revolves around one person wearing two hats, being that of director and employee. Specifically, the question is whether such a person can resign as director whilst remaining an employee of the company.
7 comments
Read more

An Introduction to Hinrichsen Attorneys

In 2012, Dale Hinrichsen made the transition from being an advocate and member of the Pretoria Society of Advocates to becoming an admitted attorney. It was thereafter that Hinrichsen Attorneys was formed and begun its expeditious climb to becoming one of the highest regarded law firms on the West Rand. While Hinrichsen Attorneys, like most small firms, started out by applying its operations to all the general aspects of law, helping individuals with personal disputes and family law as well as aiding smaller companies with contract drafting, collections and general litigation. The first branch of specificity came in the form of mining law, whereby the firm developed a strong allegiance to an impressive array of mining experts and consultants. It was hereafter that the firm began to pursue more specialised fields, which served as a catalyst to accelerate its already exponential growth. Utilising the business world’s dire need for a world class corporate law firm on ...
6 comments
Read more

Appointing a Chairperson to Your Board

When a company wishes to appoint a non-executive (or alternatively, a non-CEO) chairperson to oversee the board of directors, it is important to be cognisant of the guidelines set out in the the King Code on Corporate Governance for South Africa (The Institute of Directors in Southern Africa) September 2009 (otherwise referred to as "King III").
6 comments
Read more