WHEN DOES POPI COME INTO EFFECT?
- The Protection of Personal Information (POPI) Act was signed into law by the President on 19 November and published in the Government Gazette Notice 37067 on 26 November 2013.
- Once the Act is made effective, companies will be given a year’s grace period to comply with the Act, unless this grace period is extended as allowed by the Act
- The President has signed a proclamation declaring some parts of the Protection of Personal Information Act No 4 of 2013 effective from 11 April 2014
- It is anticipated that the Information Regulators office will be setup very soon and start issuing codes of conducts for industries to comply with
WHAT ARE THE KEY OBLIGATIONS OF A COMPANY UNDER POPI?
OPENESS: A data subject must be given access to their information if requested
ACCURACY: Ensure you keep the data subjects data up to date
SECURITY: Ensure measures are put in place to keep the data subjects data secure
STORAGE: Only store the data for the time it takes to complete a specified process
PURPOSE: Only use the data for the purpose it was collected for and for the consent type given
PERMISSION: Only store the data for the time it takes to complete a specified process
WHAT IS PERSONAL INFORMATION?
Age, sex, birth date, etc.
Email, telephone, address etc.
Employment, educational, financial, criminal
Opinions of and about the person
Biometric information Blood type etc.
WHAT IS PROCESSING?
Processing broadly means anything done with the Personal Information, including:
THE 8 INFORMATION PROCESSING PRINCIPLES: THE CORE OF POPI
- PROCESSING LIMITATION
processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed
- INFORMATION QUALITY
The responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary, taking into account the purposes for which it was collected
The responsible party must ensure that the eight information processing principles are complied with
- PURPOSE SPECIFICATION
Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. The responsible party must take steps to ensure that the data subject is aware of the purpose for which his/her personal information is being collected
- FURTHER PROCESSING LIMITATION
This is where personal information is received from a third party and passed on to the responsible party for further processing. In these circumstances, the further processing must be compatible with the purpose for which it was initially collected
Personal information may only be processed by a responsible party that has notified the Information Protection Regulator. Further certain prescribed information must be provided to the data subject by the responsible party including what information is being collected, the name and address of the responsible party, the purpose for which the information is collected and whether or not the supply of the information by that data subject is voluntary or mandatory
- SECURITY SAFEGUARDS
The responsible party must secure the integrity of personal information in its possession or under its control by taking prescribed measures to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information
- DATA SUBJECT PARTICIPATION
A data subject has the right to request a responsible party to confirm, free of charge, whether or not the responsible party holds personal information about the data subject and request from a responsible party the record or a description of the personal information held, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information
WHO IS THE INFORMATION REGULATOR AND WHAT ARE ITS POWERS?
The Information Regulator is a juristic body that will be appointed in terms of POPI and will have wide ranging powers and duties including:
Educate the public about POPI
Monitor and enforce compliance
Handle complaints about alleged violations
Attempt to resolve complaints by means of dispute resolution mechanisms such as mediation and conciliation
WHAT SHOULD YOU DO NOW?
- Password protect all agreements that have personal information in them before emailing
- Make sure you have a system to track all opt-in and opt-outs
- Make sure you have a system that allows you to delete a consumer record if a consumer requests same
- Make contact with all contacts in your database with the objective of getting an opt-in from each contact
- Make sure you have a process that keeps your database up to date
- Make sure you change your passwords to any systems you use that store consumer information so that you avoid any loss of data
- Make sure that if you are using cloud based solutions that your service providers servers are located within the borders of South Africa and your data does not cross the borders of South Africa
HOW CAN YOU GET CONSENT FROM YOUR CONTACTS (OPT-IN)
- It terms of Section 69 of the bill, POPI applies to electronic communication that refers to SMS and Email in the POPI definitions
- Regular Person to Person (P2P) telephone calls are not included
- This means you have the option to call each data subject (contact) once, to ask for consent. You may only call data subjects who have not already opt-d out
- You need to be transparent in your request for consent and ask for permission to send marketing/suburb related information by email or SMS from time to time
- Then you need to make use of a system where you can record the consent obtained (opt in or opt out) so you can demonstrate you have taken every reasonable step to comply with the POPI Act
WHAT IF YOU DON’T GET CONSENT?
- Simply put. You will NOT be allowed to send out any Email or SMS to a data subject without consent being obtained
- Your database will be worthless if you can’t engage with your contacts
- You face massive fines and/or jail time for non-compliance
- You face reputational damage
WHAT IS THE SANCTION FOR NON-COMPLIANCE WITH POPI?
Non-compliance with the Act could expose the Responsible Party to a penalty FINE OF R10 MILLION and / or imprisonment of up to 10 years!
- MYCE will give you a pre-populated database that you can start calling to obtain consent
- MYCE will keep your database enriched each month to keep your database up to date
- MYCE has a full POPI management module so you can record all your opt-in/opt-out
- MYCE audit trails all your activity so you can demonstrate you are complying the act
- MYCE only uses local servers so your data does not leave South Africa
- MYCE is only accessible with unique usernames and passwords chosen by the user so your data is stored securely
- MYCE has a easy to use function to delete contact records if you get a request from a data subject
- Opt-d out contacts are automatically excluded from any marketing communication to avoid any reputational damage and ensure compliance to the Act