The Protection of Personal Information Act (POPIA), which comes into effect on July 1, compels businesses and organisations to protect personal information and prevent it being exposed and disseminated to unauthorised individuals and entities.
Under the new law, a business will also no longer be allowed to keep a record of a data subject’s personal information once the intended reason for its use has expired, except under certain circumstances.
Businesses and individuals are required to adhere to strict regulations in terms of the Act, failing which they may incur penalties such as a fine of up to R10-million, prison terms of between one and 10 years, or both.
To effectively meet requirements laid out by POPIA, businesses need to bear the following in mind:
- Processing of a data subject’s personal information for direct marketing purposes – whether via automatic calling machines, facsimile machines, SMSes, e-mail or any other electronic medium – is prohibited unless the subject has given consent and is a customer of that party.
- Potential customers may be contacted only once to establish if they want to “opt in” to the marketing services, and should they refuse, no further communication may occur.
- In the case of existing customers, the personal information can only be processed if it was come by through the sale of a product or service, for the purposes of direct marketing, and the data subject has been given reasonable opportunity to object.
- There are eight conditions for lawful processing that need to be met, namely.
- Accountability: Responsible parties and operators must comply with the eight conditions for lawful processing;
- Processing limitation: Personal Information should only be obtained by limited and lawful processing that does not unnecessarily infringe privacy;
- Purpose specification: The purpose for which personal information is collected must be specific, explicitly defined and lawful;
- Further processing limitation: Further processing must be compatible with the purpose for which information is collected;
- Information quality. Reasonably practicable steps must be taken to ensure personal information is complete, accurate, not misleading and updated;
- Openness. Notify the Regulator that the party processes personal information where prior authorisation is required and advise the data subject of certain mandatory information in regard to the collection;
- Security safeguards. The integrity and confidentiality of the personal information must be secured; and
- Data subject participation. The data subject has certain access rights, including a right to request its deletion.
- Organisations and individuals need to become familiar with every aspect of the Act, including important definitions, roles and responsibilities of information officers, the importance of prior authorisation, rights of the data subject, practical examples and assessments.
- Data subjects have a number of rights, including: the right to be notifed their information is being collected; the right to know who holds their information; the right to request their information; and the right to ask that their information be removed or destroyed.
- Any person may lodge a complaint with the POPIA Regulator, and while the authority may attempt to arrange a settlement, it could also launch an investigation which could see the responsible party being sued in court.
- New Leaf Technologies offers an online course on POPIA which achieves the best results at the lowest costs. This course eliminates the need for workshops which take employees out of operations for a period of time and decreases productivity.