From 1 July 2021, the substantive implementation of key provisions of the Protection of Personal Information Act will finally become enforceable, meaning that businesses that collect and process personal information of South Africans have only a few more weeks to ensure they are compliant with POPIA.
- Compliance check
- Have you met the eight conditions for processing personal information?
- Further important issues to consider
From 1 July 2021, the substantive implementation of key provisions of the Protection of Personal Information Act (POPIA) will finally become enforceable. This legislation, among other things, promotes the protection of personal information processed by public and private bodies, introduces minimum requirements for the processing of personal information, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for violations of the law.
If yours is a business that collects and processes personal information of South Africans, you have just a few more weeks, until 30 June this year, to ensure that you are compliant with POPIA.
Can you answer yes to the following questions?
- Have you completed your data processing and protection due diligence and impact assessments?
- Have you secured valid consents to use the data of your data subjects?
- Have you entered into a contract with service providers who process your customers’ personal information to ensure they are POPIA compliant?
- Have you appointed an information officer?
- Do you know how to address data processing operations that trigger material data protection risks?
- Do you know what to do if you experience a data breach?
- Are you able to prove you are POPIA compliant?
- Are privacy rules now embedded in your technology and business practices?
- For cross-border transfers, do you know how to transfer and process personal data of EU residents, and are you able to transfer personal data from Africa to the EU?
- Have you identified and engaged with lead supervisory authorities regarding privacy law in all the jurisdictions in which you operate?
- Have you considered privacy law enforcement and sanctions – both in terms of hefty monetary fines and reputational disasters?
Have you met the eight conditions for processing personal information?
There are eight conditions for the lawful processing of personal information according to POPIA and your business should now have ensured that it is able to meet all of these eight conditions.
- Accountability – your business is responsible for ensuring the conditions for lawful processing are met.
- Processing limitation – your business must process personal information lawfully, minimally, in accordance with the consent, justification and objection provisions, and with the data subject’s consent, unless certain exceptions apply.
- Purpose specification – your business must process personal information for a specific purpose and adhere to the retention and restriction of records provisions in POPIA.
- Further processing limitation – further processing of information must be compatible with the purpose of collection.
- Information quality – your business must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated.
- Openness – your business must maintain the documentation of all processing operations under its responsibility and take reasonably practicable steps to ensure that the data subject is aware of certain information.
- Security safeguards – your business must: (i) secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures; (ii) in terms of a written contract, ensure that the operator, which processes personal information for the business establishes and maintains security measures; and (iii) as soon as reasonably possible after the discovery of a compromise, notify the Information Regulator and the data subject.
- Data subject participation – your business must allow a data subject to access and correct its personal information. Your business may also be required to correct, delete or destroy personal information.
Further important issues to consider
The information officer
The Information Regulator has published a guidance note in respect of the appointment of information officers and deputy information officers.
Although, POPIA does not require that an information officer must be a local person, the guidance note provides that in order to ensure accessibility, the information officer of a multinational entity based outside the Republic must authorize any person within the Republic of South Africa as an information officer.
POPIA also provides for the appointment of deputy information officers. With regard to the appointment of deputy information officers, the guidance note states that the information officer of a multinational entity based outside the Republic must designate any person within the Republic of South Africa as a deputy information officer. A person designated as a deputy information officer should be afforded sufficient time, adequate resources and the financial means to devote to matters concerning POPIA and the Promotion of Access to Information Act, 2000 (PAIA). In addition, the guidance note provides that an information officer or a deputy information officer should report to the highest management office within the private body. This means that only an employee at the level of management and above should ideally be considered for designation as an information officer or as a deputy information officer of a body.
A deputy information officer should be accessible to everyone, particularly to a data subject in respect of POPIA or a requester in terms of PAIA. Deputy information officers are required to have a reasonable understanding of POPIA and of the business operations and processes of the private body. In addition, only employees of a South African company can be appointed as a deputy information officer. In this regard, the guidance note specifically provides that a deputy information officer must be based in South Africa.
Depending on the circumstances, any obligation or liability incurred as a result of any delegation of any powers, duties and responsibilities to a deputy information officer will be imposed on either the information officer or responsible party in so far as POPIA is concerned. To ensure a level of accountability by a delegated deputy information officer, private bodies are encouraged to ensure that such duties and responsibilities or any power delegated to a deputy information officer is part of their job description.
The person authorizing any person as the information officer of a juristic person retains the accountability and responsibility for any power or the functions authorized to that person.
The information officer may be any one of the following: (i) the chief executive officer (CEO); (ii) the managing director (MD); (iii) an equivalent officer to the CEO or MD; or (iv) anyone duly authorized by that officer.
The information officer must be registered with the Information Regulator in order to perform the duties and responsibilities set out in POPIA. The person authorizing any person as the information officer of a juristic person retains the accountability and responsibility for any power or the functions authorized to that person. The names and contact details of a company’s information officer and deputy information officer will be made available on the Information Regulator’s website.
A manual in terms of section 51 of PAIA is also required. The manual must be lodged with the Information Regulator and it must be made available on the company’s website.
POPI requires an “opt-in” system for direct marketing. From July 2021, businesses will be prohibited from approaching consumers, for the purposes of direct marketing, unless:
- the business has obtained consent; or
- the consumer is a customer of the business.
Your business may approach a data subject only once to request the data subject’s consent:
- in the prescribed Form 4; and
- if consent was not previously withheld.
Your business may process the personal information of a data subject who is a customer of the business:
- if your business obtained the contact details of the data subject in the context of the sale of a product/service;
- for purposes of direct marketing of your business’s own similar products/services; and
- if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality.
Breach notification under POPIA
If your business experiences a data breach, it must notify the Information Regulator and the data subject, where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorized person. This notification must be made as soon as reasonably possible after the discovery of the compromise and you can only delay the data subject notification if certain exceptions apply. Businesses must report every breach, regardless of whether it caused potential significant harm
In terms of the obligations of business operators, any person who processes personal information on behalf of another business (i.e., the responsible party), in terms of a contract or mandate, must notify that business immediately where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorized person.
With data fast becoming the new gold for businesses around the world, businesses that ensure they are processing and protecting this personal information correctly will not only ensure that they are legally compliant, they will also be equipped to successfully navigate the digital new normal, while maintaining the loyalty and trust of their most valuable assets – their customers.
For assistance in navigating the myriad of challenging privacy and data protection laws, regulations and guidance necessary to build a privacy program, please contact Janet MacKenzie, Partner and Head of the Technology, Media and Telecommunications Practice in Johannesburg or Reinhardt Biermann, Senior Associate, in Johannesburg. For further information pertaining to data privacy and security in the region, please read our article on the newly signed Cybercrimes Act in South Africa – here.