The purpose of the Protection of Personal Information Act is to bring South Africa in line with international standards of protection of personal information and will effectively change the way in which both government and business deal with individuals’ private information. The Act sets out mandatory regulations which every organization that processes persons’ information must adhere to in order to be compliant and avoid fines and even jail time in some cases.

Personal information has a wide meaning and includes information which identifies and relates to living individuals (for example, gender and employment history) and existing corporates (for example, company contact details and correspondence of a confidential nature);

The individual or corporate that the personal information relates to is referred to as the Data Subject.

POPI protects personal information of Data Subjects by imposing minimum standards for its lawful processing.

The Data Subject must consent to the processing of personal information except in certain circumstances. The most common of these is where processing is necessary to conclude or perform a contract with the data subject.           

POPI applies to all Natural Persons, Juristic Persons, Public and Private Bodies. The Act came into effect on the first of July 2020 however, the Legislature has granted businesses and organisations a grace period up until the 31 July 2021 to become POPI compliant where after, penalties will be charged for non-compliance.

In terms of the Act, the person responsible for processing that information is accountable to ensure that the stipulations of the Act are followed.

The effect that compliance will have on your business is that you will have to compile a POPI compliance policy which deals with the administration and processing of the personal information of your customers, prospective customers, suppliers and employees.

Furthermore you will need to train and appoint an information officer who will administer your POPI policies and conduct personal information impact assessments.  It is also imperative that your employees are well informed of their responsibilities in terms of the POPI policy which you implement in your business.

The Act stipulates specific time periods for the retention of personal information which can be found in the schedules to the Act, these time periods are set out to allow persons the opportunity to access the their information, which is in your possession, and for other parties, who have the right to access such information, by operation of law, to do so. Processing of information must be done lawfully and in a manner that does not infringe the privacy of the individual.

Personal information can only be processed if the processing is adequate, relevant and not excessive, given the purpose for which it is to be used. Where the Responsible Party intends to use the information for any other purpose other than that, which the information was collected, the Responsible Party must first obtain permission from the Data Subject.

In simple terms, if you are in the business of selling computer hardware products and you collect a customers’ personal information for the purpose of delivering the products to the customer, according to POPI you can only use that information for the agreed upon purpose at the time which the information was collected. If at a later stage an opportunity presents itself where you would like to market new products which you have received, you are required, in terms of POPI to first contact the consumer and acquire permission to send them such marketing material.

Only the following exemptions apply when processing information:

•           For personal and household reasons;

•           If the subject cannot be identified or is de-identified;

•           Public bodies involved in national security;

•           For purposes of executing the judicial functions of the court;

•           For journalistic, literary or artistic purposes