Why do we need the Protection of Personal Information Act?

Essentially, the purpose of the Protection of Personal Information Act (POPIA) is to protect people from harm by protecting their personal information. To stop their money from being stolen, to stop their identity from being stolen, and generally to protect their privacy, which is a fundamental human right.

To achieve this, the POPIA sets conditions for when it is lawful for someone to process someone else’s personal information. From 1 July 2021, the substantive implementation of key provisions of the POPIA became enforceable. This legislation, among other things, promotes the protection of personal information processed by public and private bodies. Introduces minimum requirements for processing personal information, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for law violations.

Any natural or juristic person who processes personal information, including large corporates and government, must comply.

The data protection laws of many other countries exempt SMEs, but not currently in South Africa.

What are the penalties for non-compliance?

There are essentially two legal penalties or consequences for the responsible party:

1. A fine or imprisonment of between R1 million and R10 million or one to ten years in jail.
2. Paying compensation to data subjects for the damage they have suffered.

It is very unlikely that anyone will go to jail, and the fines are small compared to other jurisdictions.

The other penalties include:

1. Reputation damage
2. Losing customers (and employees)
3. Failing to attract new customers

But your main motivation for complying with the POPIA should be to protect people from harm.

A comprehensive audit and checklist assessment should include;

1. Have you completed your data processing and protection due diligence and impact assessments?
2. Have you secured valid consents to use the data of your data subjects?
3. Have you entered into a contract with service providers who process your customers’ personal information to ensure they are POPIA compliant?
4. Have you appointed an information officer?
5. Do you know how to address data processing operations that trigger material data protection risks?
6. Do you know what to do if you experience a data breach?
7. Are you able to prove you are POPIA compliant?
8. Are privacy rules now embedded in your technology and business practices?
9. For cross-border transfers, do you know how to transfer and process the personal data of EU residents, and are you able to transfer personal data from Africa to the EU?
10. Have you identified and engaged with lead supervisory authorities regarding privacy law in all the jurisdictions in which you operate?
11. Have you considered privacy law enforcement and sanctions in terms of hefty monetary fines and reputational disasters?

If you are interested in assistance with your POPAI compliance or have any business legal enquiries, we encourage you to BOOK a Free 30-Minute Strategy Session with Yolandi Erasmus at https://10to8.com/book/iqzdxogocjoqhdlyvp/1662935