Is your business ready for the Protection of Personal Information (PoPI) Act?

Recently, Liberty Holdings became a victim of a cyber attack which resulted in personal information being compromised. If POPI was fully operational Liberty Holdings would have been subjected to a full scale investigation, by the Information Regulator, to determine the exact nature of the cyber attack and subsequent data breach. If Liberty Holdings were found not to have the necessary safeguards in place, in terms of the POPI regulations, it could have been subjected to a hefty fine. This latest data breach therefore should be a wake-up call to all institutions and companies to comply proactively with the Act.


So what exactly is POPI?

POPI is legislation designed to ensure the confidentiality and integrity of personal information which is processed by both private and public bodies. It aims to ensure that individuals and juristic persons (legal entities) are informed about how their information is protected and used. All South African institutions and companies therefore must have the appropriate technology, processes and policies in place to ensure that all personal information is managed in a responsible and accountable manner. This means that the collection, processing, storing, retrieving and sharing of personal information are protected and must comply with conditions as set out in the Act.

POPI therefore creates a framework for the management of personal information. The Act is lengthy and deals with many issues, but issues, key to personal information, include the following:

  • Obtaining your consent to share your information.

  • Ensuring that your information is used for the purpose that it was collected for.

  • Provide transparency on how your information will be used.

  • Allowing you access to your own information.

  • Allowing you the right to remove your information.

  • Transparency to know who has access to your information and where it is stored.

  • Not to be subjected to unsolicited marketing activities and to have the right to opt-out.

The Act was signed into law in November 2013. Only the sections pertaining to establishing the Information Regulator and empowering the regulator and the minister to draft the regulations are implemented.


What would constitute personal information?

  • Identity or passport number

  • Date of birth and age

  • Contact numbers

  • Email addresses

  • Online or instant messaging identifiers

  • Physical address

  • Gender, race and ethnic origin

  • Photos, video footage, voice recordings and biometric data

  • Marital relationship status and family relations

  • Criminal record

  • Private correspondence

  • Religious or philosophical beliefs: including personal and political opinions

  • Employment history and salary

  • Financial information

  • Education information

  • Physical and mental health information

  • Memberships to organisations or unions


Who does this act apply to?

The Act applies equally to all businesses (small, medium and large).


When will it be fully implemented?

It is envisioned that the Act will be fully implemented by the end of 2018, however, this is not confirmed. Thereafter, all affected parties will have 12 months to comply. It is estimated that it can take between six months and 5 years to fully comply with the Act, depending on the size of the institution.


What are the consequences of not complying with POPI?

There are a number of actions that the Information Regulator must take to determine accountability and responsibility when data is compromised. The implication for a guilty party can be a fine of R10 million or more, a 12 month jail term for responsible individuals, an order to cease processing personal information or even civil law action. In addition to these punitive measures, the reputational impact can also be extremely damaging. 


Wait, there is more…

Depending on the nature of your business, you may need to ensure compliance with the General Data Protection Regulation (GDPR), which is a similar law adopted by the European Parliament in 2016. The is important for South African institutions and businesses, outside of the EU jurisdiction, because it applies to entities managing personal information of data subjects residing in the EU. Also, as a major trading partner, South Africa will seek to align POPI with the GDPR.


Need assistance?

Protection of Personal Information ( if you want to discuss your requirements to comply proactively with the Contact usPoPI) Act.