POPI: 10 Compliance Tips for Companies
The one-year grace period for ensuring compliance with the Protection of Personal Information Act 4 of 2013 (POPI) comes to an end on 1 July 2021. This may come as a welcome relief for us in our personal capacities as it promises to curtail the number of unsolicited emails, SMSs and telemarketing or robocalls that we receive daily. But for businesses and organisations, the implementation of POPI can be a vast and time-consuming operation.
In its simplest terms POPI seeks to regulate the processing of personal information (or data), where “personal information” refers to anything that can be used to identify a person (which includes both individuals and juristic persons) and “processing” refers to anything that you do with that personal information. (e.g., receiving, storing, filing or sharing that information).
It is clear that POPI will infiltrate and effect almost every aspect of a business and its operations, spanning across its supply chain and encompassing all of its employees, contractors and agents. The wide scope of POPI makes it hard to imagine where to even begin when it comes to compliance. However, if you take a systematic and pragmatic approach to it, you will find that compliance is possible, and that you can even use it as an opportunity to leverage your existing data storage processes and systems to better work for your business.
Here are some helpful compliance tips to get you started.
Identify your data
Before you can even start to think about how you need to comply with POPI, you first need to identify what personal information you have. Do not underestimate what a mammoth exercise this is, especially if you are a company that has been around for a while or who has several employees, suppliers and customers across its operations. The bigger your operations, the more people you may want to include in this process. For example, if your data systems are not well maintained or centralised you may want to ask your team leads to carry out mini audits in each of their business units or functions to identify what personal information they process on behalf of the business.
Organise your data
One of the key tools to successfully complying with and maintaining your obligations under POPI is having good filing and organisation systems in place.
How are you currently storing and managing your organisation’s existing data (e.g., your employees, customers and suppliers’ data)? If you do not have effective systems in place, its vital you get started on this process as soon as possible.
Having proper filing, tracking and monitoring systems which allows you to easily access, check and update the content and quality of your data is critical. Further if you are ever approached by an individual or government authority to provide them with data or evidence of your compliance you will be able to easily and quickly do this.
Secure your data
It is paramount that you put appropriate security measures in place to ensure that all data in your possession cannot be easily hacked, lost or misplaced.
For digital data: there are numerous encryption and other software options available in the market that you can use to enhance your existing security set up and systems.
For hard copy or physical data: you will need to ensure that hard copy documents are safely secured throughout their life cycle. It is recommended that you put written processes and procedures in place around how to keep your data safe. This may include keeping documents containing personal information in locked filing cabinets or safes.
It may also be worthwhile to do risk assessments in your departments or teams to identify vulnerable areas where data could be accessed or intercepted before you store it.
Do not keep data unnecessarily
In general, you should seek to delete and/or destroy data that you no longer require or use. However, first make sure that you check your Document Retention Policy, as some documents need to and legally must be kept for longer periods than others.
Inform data subjects what information you are collecting and why
This is usually done by way of a privacy notice or privacy statement and should, where possible, be done at the time of collection of the personal information. POPI focuses heavily on transparency and making sure that you use the data in line with the purpose for which it was given to you by the data subject. Section 18 of POPI details what needs to be included in your privacy notice/statement and should be read with the amended Promotion of Access to Information Act (PAIA).
In addition, you should also look at updating all of your contracts and other company documents, such as your Standard Terms & Conditions, to include a data protection clause.
Have a process for providing personal information to people (if they request it)
Under POPI and PAIA, if someone requests that you provide them with a copy of the personal information that you have about them, you generally will be required to provide this. So, you want to make sure, in advance, that you have a process in place, for this and that your employees understand and know this process. You will need to know what personal information you hold about data subjects and where that data is located in order to give effect to this right.
Have a process for deleting data on request
After 1 July, if an individual request that all their personal information be deleted, you generally will be compelled to do so. Again, knowing where the date is located and who has access to it, will be important in giving effect to this right.
Compliance with POPI cannot be achieved through a beautifully worded company data policy. It must form a living part of your organisation and its processes. Therefore, you need to make sure that all your employees (agents and/or contractors) read and familiarise themselves with your policy/ies and procedures.
Marketing: Check out what is and is no longer allowed
When it comes to marketing POPI distinguishes between different forms of electronic marketing. Therefore, it is particularly important that you understand what the different obligations are in the different areas and adapt your approaches accordingly.
Under POPI, you can no longer have wide across the board pre-ticked boxes, where people automatically consent to every and all kinds of marketing. Further you need to make it clear and easy at any stage for people to unsubscribe from emails, SMSs, etc. and once a person has opted out, you need to make sure that the change is timeously affected and implemented internally.
Get good advice
Speak to and get proper legal advice from a specialist who can guide you through the changes that POPI is bringing and help identify how these will affect your business.
Stormme has a BA and LLB from Rhodes University and was admitted as an attorney in 2010 after having completed her articles at Bowmans. She continued at Bowmans as an associate and then senior associate in its corporate and construction team. In 2014 she moved to BASF Holdings South Africa Pty. Ltd as the head of legal and compliance for Market Area Africa. Stormme joined Caveat in 2021 focusing on corporate and commercial work.
Here is a quick link to Caveat’s POPI Compliance Packages
For interviews or further information, contact Yvonne Wakefield at Caveat Legal firstname.lastname@example.org and +27 83 275 2971
Caveat Legal is a legal consultancy with a team of specialised and experienced lawyers in a number of commercial fields of law: www.caveatlegal.com
Caveat Legal is an innovative legal service provider that makes Big Firm-quality legal work available to businesses without the bells and whistles (and costs) usually associated with it.
We achieve this by making our panel of 55 Top Tier lawyers available to consult to businesses – either remotely or in house – on a brief, retainer or secondment basis. Caveat was founded in 2011 and has established itself as a market leader, covering all of the commercial fields of law and servicing an impressive range of medium-sized and large businesses.
Find out more about how we can help your business navigate and understand matters pertaining to Commercial Law. We’ll make an experienced Panel Member available as your dedicated lawyer on call to discuss your requirements as we aim to find the right solution for your business.