Although POPI was signed into law on 26 November 2013 it is not yet fully operational. Its implementation hinges on the publication of a commencement date by the President. Once that date has been published, businesses will have a grace period of one year within which to be fully compliant with POPI.
This grace period is an acknowledgement of the practical challenges that complying with POPI introduces to businesses in South Africa. These challenges relate to the conditions essential for the lawful processing of information. While POPI offers significant levels of protection to individuals on how personal information is handled, it conversely holds businesses accountable for their actions when dealing with such data. Therefore businesses will have to adopt new processes and policy standards to enable compliance in a cost effective and efficient manner.
The following are some of the practical difficulties that businesses will encounter when complying with POPI.
The biggest challenge to businesses being fully compliant with POPI is the scope of the definition of “processing” of “personal information”. The definition of “processing” is very wide and refers to almost every instance where personal information is collected, used, recorded or altered. The definition of “personal information” does nothing to narrow the scope of POPI. It lists many types of information considered to be personal information. However, this definition is in no way exhaustive. As a result, businesses are placed in the precarious position of determining what data amounts to personal information.
Faced with this uncertainty, businesses will have to endure the inexhaustible process of discovering, understanding and classifying their data, and based on that implement controls. In this case, the appointment of an Information Officer into the business is recommended.
Technology will need to be implemented to ensure that businesses comply with POPI’s eight principles. This translates into a substantial investment into technology infrastructure and/or the outsourcing to third parties. This level of investment will be a particular burden for small business communities as POPI is not a once-off initiative. The on-going compliance monitoring means constantly upgrading and investing in technology to ensure the lawful processing of personal information. All of which amounts to a very costly challenge.
It is also important for businesses to be wary of relying heavily on technology. Condition 7, which relates to information security, not only refers to technology but also consists of people and the processes of a business. This highlights the importance of educating and training your staff to be fully compliant with POPI, most especially the staff in IT, customer services and call centers. In said cases, instead of making the staff experts in the law, the training should be focused on what they need to protect, why they need to protect it, and what they should do if the protection of personal information is compromised. They need to understand their role with regards to POPI compliance as they are part of the Big Picture.
POPI requires that the consent of the data subject, being the person to whom personal information relates, is obtained before the personal information is processed. This consent is particularly important when business process special personal information, which includes information about the data subject’s religious or philosophical beliefs; race or ethnic origin; trade union membership; political persuasion; health or sex life; and criminal behavior or biometric information. This requirement presents businesses with an onerous administrative burden. This additionally emphasizes the need to appoint an Information Officer.
POPI restricts the transfer of personal information identifiable to a data subject outside of South Africa, subject to the following exceptions:
This restriction is a challenge for global businesses willing to relocate to / expand into South Africa as prospective investors.
As a result, it is essential that businesses be very proactive in complying with POPI rather than risk facing a huge loss in revenue when the Act is implemented.
An important tip that most experts propose to ensure POPI compliance is for businesses take a holistic approach to its privacy practices by first understanding what POPI wants to achieve and what measures the business needs to put in place to achieve the objectives, rather than implementing POPI directly.
Click here to send us a message on LinkedIn with your details and we will contact you shortly.
Deal-making and Advisory
Training and Development