The POPI Act, or POPIA, is South Africa’s data protection law. The “Protection of Personal Information Act” is equivalent to the EU’s GDPR. It answers the questions of how, why, and who can collect, store and distribute sensitive data. What exactly does that mean, and how can you make sure your organization complies with the regulation?
Let’s dive deeper into what the POPIA is before we discuss concrete steps that your organization needs to take in order to comply with the regulation.
Every entity, private or public, that is either domiciled in South Africa or not domiciled in South Africa but processes personal information in South Africa falls under POPIA’s scope.
“Personal information” is defined very broadly in the POPIA and includes:
Unlike the GDPR, POPIA protects not only the data of living persons but also that of other companies and organizations.
By “processing”, POPIA means any operation or activity concerning personal information. This, again, results in a very wide scope of actions, such as the collection, receipt, recording, storage, distribution, or destruction of personal data, to name a few.
Certain exemptions exist, such as for public bodies that process personal information for purposes of national security or other similar reasons. You are also exempt from POPIA if you are dealing with personal information related to regular household activities.
The purpose of the POPIA is to safeguard personal data from theft, misuse, and malicious actions. POPIA’s rules are designed to “give effect to the constitutional right of privacy“.
In general, the POPIA does 3 things:
Compliance with the 8 conditions is mandatory for both public and private entities under POPIA. Those conditions are:
Whoever processes the personal information must comply with the provisions of POPIA.
Only relevant personal information can be processed.
The purpose of data collection must be defined. Data can’t be kept any longer than necessary.
The consequences of the means of collecting personal data and its sharing must be considered.
The collected personal information must be correct and not misleading.
The purpose of data collection must be clearly stated, and explicit consent received.
Collected personal information must be protected from loss, damage, and unlawful access.
Anyone can request to see which of their personal information is being stored, as well as to have records removed.
The one-year grace period to comply with POPIA ended on 30 June 2021, meaning it started being enforced on 1 July 2021.
To stay on the right side of the law, your organization will have to take various steps to comply with the 8 conditions of POPIA. These steps will include:
As with any regulatory compliance, you’ll first want to complete a gap analysis to map out where your organization stands on the various requirements. The appointment of an Information Office will also be an important step towards positioning yourself towards satisfying all of POPIA’s stipulations.
Remember, data protection is an ongoing process and will require constant monitoring and management.