The Protection of Public Information (POPI) Act was signed into law recently with a commencement date due to be announced soon. Once the commencement date is revealed, companies will have one year to comply with the act or face heavy fines.
The act regulates how companies can collect, store, and secure the personal information of individuals and entities and brings South Africa in line with international laws on privacy.
POPI is an all-inclusive piece of legislation that safeguards the integrity and sensitivity of private information. Companies that handle personal particulars, such as telcos or banks, will be required to carefully manage the data capture and storage process. They will also have to get permission to keep data and disclose the reasons for needing it.
The Act will apply to a wide variety of information, including contact details and correspondence, human resources and payroll data, curricula vitae, applications for employment, CCTV records, performance reviews and internal e-mail records.
POPI also outlines stringent cross-border data transfer requirements as information may not be relocated to countries with inadequate information protection frameworks.
POPI lays out eight conditions, which need to be met in order for the processing of personal data to be lawful. These conditions are:
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Security safeguards
- Data subject participation
Ritasha Jethva, Governance, Risk and Compliance Lead at Liberty Group South Africa, has outlined some core areas companies need to look at to help ensure they are POPI compliant.
According to Jethva, businesses need a greater understanding of the manner in which personal information is stored and processed, including the systems, processes and how logical and physical access is maintained and managed for the systems and areas housing personal information.
The company must then define a clear privacy incident management, reporting and response process. This will ensure that breaches are rising to the surface, resultant risks and exposures are being managed and that reporting and response strategies are clear and involve the right senior stakeholders.
In addition to this, companies must understand how third parties are adhering to the conditions of POPI and have clear information security strategies, processes, procedures and controls at both the technical and strategic level.
Moreover companies must address the cross-flows of information, both internally within the organisation/across legal entities, as well as cross border flows.
Companies will also need to manage the consent and exception process to ensure that the required consent is captured at the right time, for the right reason and in the right way.
Lastly, companies must invest in training and awareness to ensure that all employees understand the requirements of POPI and the spirit with which it is implemented.