On 1 July 2020, the majority of sections of the Protection of Personal Information Act (“POPI”) came into effect. These sections create obligations and impose penalties for non-compliance – ranging from fines to imprisonment. The commercial and publicity-related consequences of breach could be even more damaging, and are unquantifiable.
But fear not… there is a grace period of one year to ensure full compliance, and we are here to help you achieve just that!
The requirements of the Act are:
Condition 1 – Accountability
Ensure that all requirements are met and appropriate measures are put in place to ensure compliance.
Condition 2 – Processing limitation
Personal information must be processed lawfully and in a reasonable manner, and the information must be limited only to what is necessary to achieve the overarching purpose.
Condition 3 – Purpose specification
The purpose of the collection of information must be lawful and clearly defined.
Condition 4 – Further processing limitation
Further processing of personal information must be in accordance with the purpose of its collection.
Condition 5 – Information quality
Ensure that the personal information is complete, accurate, and not misleading.
Condition 6 – Openness
Keep record of all processing operations and keep data subjects informed of policies and procedures.
Condition 7 – Security safeguards
Secure information records with suitable software and physical security measures.
Condition 8 – Data subject participation
Data subjects have the right to request confirmation whether their personal information is being kept on record. They may also request a correction or deletion of any information which is inaccurate, excessive, misleading or unlawfully obtained.
We suggest the following preliminary steps:
- Appointing an Information Officer, to manage the processing of information, and to deal with complaints and enquiries.
- An evaluation of software and other methods used to collect and process personal information, to test the level of protection against unauthorised access.
- Compiling a detailed Policy Document, for distribution to all data subjects. The Policy should explain:
- The purpose for which personal information is collected and processed
- Procedures for obtaining consent from data subjects
- Procedures for collecting personal information
- The storage and protection of personal information
- The rights of data subjects and complaints procedures