From GDPR in the European Union to now the POPI Act in South Africa, data privacy regulation is slowly making its way across the globe.
The Protection of Personal Information (POPI) Act was passed in South Africa in 2013 and will soon come into effect across the entire country. Like the GDPR in EU, it marks a wide-ranging regulation on data privacy, personal information and data consent which will have a huge impact on how enterprises do businesses across the entire country. A recent report suggested that only 34% of organizations were compliant with the Act which makes it a troubling scenario.
If you are an organization based in the country, here is some information which you absolutely need to know:
What is the POPI Act?
The short-form of the Protection of Personal Information Act, this is a legislation which was passed in 2013 but is yet to be enacted. As per the official South African government website, it is aimed at the following:
- to promote the protection of personal information processed by public and private bodies;
- to introduce certain conditions so as to establish minimum requirements for the processing of personal information;
- to provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000;
- to provide for the issuing of codes of conduct;
- to provide for the rights of persons regarding unsolicited electronic communications and automated decision making;
- to regulate the flow of personal information across the borders of the Republic; and
- to provide for matters connected therewith.
When will it come into effect?
Even though the act was passed in 2013, it is yet to come into effect due to governmental regulations. Currently, the wait is on for a Regulator to be established but most analysts feel it is not long before it comes into effect.
Who will it affect?
The act is intended to regulate how South African businesses collect, store, process and share personal information. Going by that definition, all South African businesses will be affected.
How is personal information defined?
The Act defines “personal information” as information related to an identifiable, living natural person which can include:
- Information related to personal differentiators such as race, sex, gender, pregnancy, marital status, etc.
- Information related to education, medical history, employment history, etc.
- Identifying numbers, symbols, email addresses, physical address etc.
- Biometric information
- Personal views, opinions
- Correspondence sent by the person, etc.
How will it identify businesses?
For starters, businesses have to classify what information they collect about data subjects as “personal information”. There are regulations as to how companies can handle personal information which they will have to comply with, apart from exceptions as well. “Records” and “sensitive information” must also be identified and stakeholders will have to be notified in case of any data breaches.
What are the penalties of non-compliance?
Non-compliance can invite serious penalties. It could involve imprisonment for a period of up to 10 years or a fine of up to R10 million (rand), or in some cases, both.
Keeping all this in mind, it is imperative that South African enterprises start preparing for the inevitable and set in motion processes which will ensure full compliance with POPI.
As an IT security partner for your business, Seqrite provides comprehensive security from advanced cyber threats. To know more