POPIA – Everything you need to know
It’s been 2 years since POPIA (Protection of Personal Information Act, 2013) came into effect on the 1st of July 2020. As all businesses know, data is one of your most valuable assets. And you need to ensure that you do not unintentionally fall foul of the Act.
The Act serves to protect everyone’s right to privacy. By regulating the processing of personal information by public and private bodies. This includes unlawful collection, retention and dissemination, and use of any data subject’s personal information.
What does this mean for your business?
As a business, you need to comply with the 8 conditions that set out the minimum requirements of processing information. These are as follows:
Accountability simply refers to the fact that as a business you are accountable for complying with the Act.
Processing limitation stipulates that personal information must be processed lawfully and in a reasonable manner that does not infringe on the privacy of the data subject.
Purpose specification defines that personal information can only be collected for a specific purpose and that the data subject is aware of that purpose, it also advises that you can’t retain the information longer than is necessary.
Security safeguards are another key area. As a business, you need to ensure that you have safety measures in place to protect the information you collect. This extends to any third party that processes information on your behalf.
Information quality refers to your responsibility to ensure that you have taken reasonable and practical steps to ensure that the relevant personal information is complete, accurate, not misleading, and updated accordingly.
Openness is where you are required to maintain documentation of all your relevant processing operations as per the Promotion of Access to Information Act (PAIA). This relates to ensuring that you have taken reasonable steps to ensure that the data subject is aware of the information being collected, the purpose of the information collection, etc.
Further processing limitation is where additional processing of personal information may occur, in these instances, you need to ensure that it is still in line with the original purpose for which it was collected.
Implementation of POPIA
Businesses need to appoint an Information Officer who is responsible for POPIA compliance. The Information Officer deals with any privacy requests and is also responsible for interacting with the Information Regulator.
When it comes to your client’s personal information there are two key changes. The first change is around consent – before you can save any of your client’s information, you will need their consent. The second key change is how you store your client’s information. You need to be able to prove at any given time that this information is stored securely. And that it’s only used for the purpose you initially collected it for.
Data that is stored in a central secure location is easier to manage. So many businesses make use of CRM (Customer Relationship Management) Systems to fulfill this function. Reminders can be set to ensure data is kept up to date, deleted after a certain period (if required) and access can be limited to certain individuals within a business. Gone are the days when employees save clients’ information onto their devices that anyone within the business can access.
Even something as simple as printing out a client’s personal information has its pitfalls. Businesses that need to print out personal information have implemented security codes on their printers so that client information does not lie forgotten on a printer.
What does POPIA mean for consumers?
The biggest change for consumers is that POPIA has provided consumers with rights when it comes to their personal information. The Act passes control to consumers in terms of who has access to their personal information, as well as how it is stored and used. Consumers now have the right to access, correct, and delete information businesses may have of theirs.
Businesses can’t store your information without your consent, and they cannot store your information for longer than necessary.
The Act doesn’t however, prevent any businesses from performing their duties or functions in terms of the law.
Conclusion
POPIA places responsibility on businesses to ensure they are compliant. However, consumers need to educate themselves on their rights as they now have more control over their data.
The next time you receive an unsolicited call from a business, be sure to find out where/how they got your information. And if you no longer want their calls, be sure to tell them to remove your details from their database.