WHAT IS POPI ACT?

Thursday, November 11th, 2021

POPI stands for the Protection of Personal Information Act (No. 4 of 2013).

The act was signed into official law on November 19, 2013. And parts of it became effective only on April 11, 2014.

When the Act was passed into law, it came embedded with a grace period of 12 months. The intention was for businesses to reimagine and update their systems and processes.

Provided that it takes an average of six months-to-two years to implement a POPI-compliant plan, the IR (Information Regulator) emphasizes that businesses must already be preparing themselves, even without a formal launch date in sight. This, of course, also means that it is an opportunity to be educated as individuals and businesses on the intricacies of the laws that affect us.

It is a chance to galvanize us, and our teams around to work together to inspire and maintain transparency.

And in its very essence, the POPI Act inspires the conditions for the lawful processing of personal data of South African citizens.

The Act contains eight general conditions, listed below.

  1. Accountability
  2. Processing limitation
  3. Purpose specification
  4. Further processing limitation
  5. Information quality
  6. Openness
  7. Security Safeguards
  8. Data subject participation

If you’re familiar with the European Union’s General Data Protection Regulation (GDPR), then it’s easier to draw a parallel to POPI as the South African type of European regulation. And as with its European counterpart, POPI makes responsible parties culpable for failures among those who process data on their behalf.

The act also provides South Africans with rights regarding unsolicited electronic communications. Historically, the sector (especially with the fast acceleration of digital platforms) has gone without accountable and regulation.

POPI is different from other privacy laws in different ways. The biggest difference centers on consentPOPI does not require you to get consent from data subjects before processing their data.

The only case in which consent is required is when processing special types of data and the data that belongs to children.

The POPI Effect: benefits of the Act

  • When and how you choose to share your information demands your consent.
  • The type and extent of information you choose to share must be collected for valid reasons.
  • Transparency and accountability on how your data will be processed and proper notification if or when the data is compromised.
  • Granting you access to your information as well as the right to have your data removed or destroyed if you that is what you intend to do.
  • Who has access to your information, i.e. there must be adequate measures and controls in place to track access and prevent unauthorised people, even within the same company, from accessing your information.
  • Storage. There must be sufficient processes in place to guard your information from theft, or being compromised in any way.
  • The integrity and continued accuracy of your information is of paramount importance. Your information must be captured accurately and when stored, the organisation is responsible to maintain it.

Quarphix consideration

As usual, ignorance of the law is no excuse. Incorporating POPI into the day-to-day operations of a business will most likely require a significant amount of time and effort, including: educating and training staff, updating business processes and implementing or updating technology solutions.

To that end, we offer 24/7 Servers Monitoring (real-time). Cloud monitoring enables a 24/7 holistic IT environment monitoring that is quick, efficient and proactive, so that you can focus on running your organisation at optimal performance, consistently.

When it comes to staying on the safe aside of data processing, taking swift action is crucial. Consider for example that under the POPI Act you could be breaking the law if you do something as simple as synchronising your contacts on your phone, sending an email with sensitive content, taking and sharing a video or photo, using an international mail provider.

In the course of doing business and sending communications, there is a possibility of data breaches.

It’s crucial that the business is able to protect data and keep applications running in the event of a service outage. Any type of downtime will have an impact on your organisation’s financial, legal or reputational components.

Our service supports your business requirements for the on-going operation of applications and data processing.

Section 2: Benefits of POPI

The fundamental question is: How does the POPI Act impact you as an individual, and/or your business?

The requirements that centre on the protection and maintenance of data have the most challenging implications to businesses.

For example: you can no longer view — and by extension — manage your business as separate and self-regulating parts. Instead, a business and the people who work in it must connect all the departments.

Obviously, this has major consequences for the entire organisation and how it is operated. Day-to-day activities must be checked to assess whether they contribute towards the entire business.

And when it comes to effectively managing personal information, every single person in the business is responsible to contribute towards keeping a secure place of work.

This is the reason then that Quarphix is uniquely positioned to offer dependable Customer relationship management (CRM) services.

The goal is simple: improve business relationships and data processing to grow your business.

Another important aspect to note is that; working towards being POPI-compliant is not an exercise that can be solved on one level within the business. An autonomous approach, where case departments work separately, is not going to create sustained results.

A practical solution requires a holistic approach to unify your systems and resources.

Assess the impact on your business

What effect will the POPI Act have on your business?

The first step towards reaching compliance is the understanding of what type of (personal) information to collect, ways to process it, and how the law impacts the fundamental processes of your business.

For small businesses, the choice to implement technology solutions will be significant in building or breaking the compliance related to POPI.

The POPI Act states that responsible parties must take “appropriate, reasonable technical and organisational measures” to ensure the integrity and prevent the loss of information. Businesses and their owners/operators no longer have an excuse to disregard Cybersecurity.

Within a business, responsible parties will have to acquire skills to a level where they can participate in the implementation process of technology. At the very least effectively participate in the decision-making process.

Who is Exempt from POPI?

The act mainly applies to people or groups in South Africa who process data for commercial purposes.

The law states exclusions from coverage in the act. This includes…

  • Data processed for personal reasons.
  • Data process by (or for) a public body relating to national security, law enforcement, or the justice system.
  • Data processed by a province’s Cabinet and committees or Executive Council.

Fortunately, the implementation of POPI in your business does not have to be a tedious task. The POPI legislation and compliance process should be embraced and implemented in the spirit it was created: Mainly, to bring change and data protection.

Implementing POPI creates an opportunity to simplify, review and streamline your business operations, policies and processes based on sound business practices and embrace appropriate and cost-effective technological solutions.

If you embrace this legislation early there are many benefits, including cost savings and overall business automation.

Remember: You only have one yearto do achieve that transformation – All the best of luck! ‘Happy POPI’ing!!!’.

More insights