POPI officially became law on the 26th of November 2013. This means South Africa will now be in line with international best practice when it comes to the protection of personal information.
The Act essentially regulates how anyone who processes personal information must handle, keep and secure that information, says Lucien Pierce, an attorney at Phukubje Pierce Masithela Attorney in a Mail & Guardian article.
It will affect nearly every area of business processes and will require, among other things, amending legal documents, consolidating data views, analysing subcontracting practices and gaining control over cross-border data flows.
Here's how the POPI will affect your business
Biz Community reports that Mark Craddock‚ KPMG's specialist on this legislation‚ says globally there have been several cases of breaches of personal information regulations‚ with financial institutions being most heavily affected.
He says if your company is involved in processing personal data, it's in your best interest to test your level of compliance with the act as soon as possible.
In the report, Cliffe Dekker Hofmeyr director Nick Altini shares the same sentiments.
He says your company will have to be a lot clearer on why it requires certain personal data and what you intend doing with it. This means you'll have to get consent from the individual to be able to use the information in the manner they have indicated.
In terms of the Act, personal information includes a person's race‚ gender‚ sex‚ marital status‚ sexual orientation‚ age‚ physical or mental health‚ well-being‚ disability‚ religion‚ conscience‚ belief‚ culture‚ language and birth.
'It will require behavioural changes from companies‚ as well as internal structural changes such as information technology upgrades‚ assurances that a database could not be accessed‚ and physical fire-walls and safety measures to ensure employee records are kept safe. These records include their medical‚ educational and disciplinary records‚' says Altini.
The report also explains that the onus will be on you to ensure your own internal structures actually flag individuals who haven't given you permission to use their personal information.
Altini noted that 'it's going to be difficult for smaller companies to create the necessary computerised structures‚ but that's the way of the world now. It costs money to be compliant.'
What are the consequences of not complying with POPI?
According to Pierce, while POPI has been signed into law, it isn't effective yet. The president still has to decide on the commencement date.
But this doesn't mean you shouldn't get your house in order.
Once the commencement date is announced‚ your company will have a year to become fully compliant with the Act.
If your company fails to comply once POPI has kicked in, you'll face huge penalties.
'Anyone who contravenes POPI's provisions faces possible prison terms and fines of up to R10-million. POPI also allows individuals to institute civil claims so there's the possibility of further financial loss on top of any fine that may be imposed,' explains Pierce in the Mail & Guardian article.
The bottom line: The fact that your company has a year to make changes that'll help you comply with POPI doesn't mean you should relax. If your business processes personal information, make sure you understand how POPI affects you and comply as soon as possible.
'Your organisation has more than a year to make changes that will help it comply with POPI. If you start attending to them now, you should be fully compliant by the time POPI starts showing its teeth,' says Pierce.
Enjoyed this article? Subscribe to receive these free articles in your inbox daily.