The POPI Act: What you should know and MetCon’s compliance
9th July 2021
All that abhorrent spam you never asked for; all those unwanted opt-ins and opt-outs; all those anonymous messages that left you wondering how far and wide your personal details have travelled … all that is the result of the unethical and irresponsible use of your personal information.
What is POPI?
The POPI Act, sometimes referred to as POPIA, is South Africa’s answer to the European Union’s GDPR, or General Data Protection Regulation. Organisations need to be compliant by the 1st of July 2021. Both POPI and GDPR require specific measures to be taken by organisations when handling the personal information of individuals and organisations.
What does POPI mean for an individual and for a business?
The POPI Act means different things depending on who you are. As a consumer, you only need sit back and celebrate the enhanced protection of your personal information. As a business, you need to pay close attention to what the POPI Act means for and requires from your type of company. This applies especially to those businesses that require personal information from their customers in order to operate, such as financial organisations.
The least you need to know about POPI
– The POPI Act exists so that your personal information is treated responsibly and not mis-used by organisations that require it.
– “Personal Information” is essentially any information that relates to a specific individual or a company — such as an ID number or a physical or email address. There are specific requirements for dealing with “special” personal information such as an individual’s race, health, sex life, biometrics or his/her political or religious beliefs.
– “Data Processing” is key to the POPI Act and refers to how organisations handle personal information including how it is collected, processed, stored and transmitted.
– The POPI Act doesn’t only apply to digital information but all formats of personal information. If you are handling people’s personal information, the POPI Act applies to you.
– The key roles when considering POPI compliance are the Data Subject (who the personal information belongs to), the Responsible Party (the organisation deciding how and why to process the information), and the Operator (those who process the information).
– Organisations adhering to the POPI Act must assign the role of Information Officer to a senior staff member. This person is responsible for encouraging and ensuring compliance with the POPI Act and for liaising with the Information Regulator.
There are eight conditions for the lawful processing of personal information in terms of the POPI Act: 1. Accountability, 2. Processing Limitations, 3. Purpose Specification, 4. Further Processing Limitation, 5. Information Quality, 6. Openness, 7. Security Safeguards, and 8. Data Subject Participation. For a more detailed explanation of each condition click here.
– Fines and penalties for non-compliance vary according to the level of infringement, with the maximum sentence being ten years imprisonment or a R10-million fine.
MetCon and POPI
MetCon takes the handling of personal information seriously, as all organisations should.