The Protection of Personal Information (PoPI) Act officially came into effect on 01 July 2020, with a 12-month grace period offered to South African organisations to comply. The act is complex and has a broad impact on many entities and industries, making it a little tricky to wrap one’s head around.
To save you the headache, we have summarised the key elements of the PoPI act so that you have a better understanding of what it protects, and why.
In This Guide:
- What is the PoPI Act?
- Examples of information protected by the PoPI act
- Why is the PoPI act important to South Africa?
- What does the PoPI act mean for website owners?
- What does the PoPIA mean for web users?
- What happens if you are not PoPI compliant?
- Do I need a PoPI compliance certificate?
What is the PoPI Act?
The PoPI act or PoPIA has been initiated to encourage South African individuals and organisations to practice responsibility when collecting, processing, storing, and sharing information. It also ensures that an entity is held accountable should it abuse or compromise personal data in any way.
In a nutshell, the act gives you control over:
- When and how you choose to share your details
- The validity of the information requested
- How your data will be used (limited to the purpose)
- Removing your information from an entity if you so wish
- Who has access to your information
- How and where your information is stored
- The integrity and continued accuracy of your personal data
Examples of information protected by the PoPI act
The PoPI Act protects the personal information of people as well as the information of businesses and other organisations.
The type of data it covers includes:
- Identification and passport numbers
- A person’s age and date of birth
- All contact details, including online/instant messaging identifiers
- Gender, race, and ethnicity
- Photos and video recordings
- Biometric data
- Marital status
- Criminal records
- Private correspondence
- Religious and political beliefs
- Employment history and salary information
- Financial detail
- Physical and mental health data
- Memberships and subscriptions
Why is the PoPI act important to South Africa?
The PoPI Act is important because it protects people, businesses, and organisations from harm, such as theft and discrimination. It is a mechanism that enables entities to access and enforce privacy rights at a day-to-day level, protecting them from establishments and criminals that may assume they are above the law.
What does the PoPI act mean for website owners?
The PoPIA act will affect the way business owners manage information both online and on paper. For example, if you manage a website, you will need to classify any consumer data that your site collects and identify whether it constitutes as personal data. You will then be held responsible for the safeguarding of this information, and you will be held accountable if the data is used beyond the confines of its collection purposes, this includes data breaches.
What does the PoPIA mean for web users?
The PoPI act has been designed to protect website users from data breaches and cybercrime and to prevent intrusive marketing practices.
If you complete an online order form with personal contact information, the details you share cannot be subject to the recipient’s private terms and conditions. Your details are, instead, protected by the PoPIA to ensure that they are used, stored, and protected to prevent any misconduct.
For example:
If you subscribe to a newsletter for event updates in your area, that events company may not share your details with its vendors unless you have explicitly given them permission to do so.
For more information on how to protect yourself while you browse, read our guide on staying secure online.
What happens if you are not PoPI compliant?
If you are found to be non-compliant, you risk reputational damage, fines, and worst-case scenario – imprisonment. You may also be forced to pay damage claims to data subjects.
Penalties for not complying with the PoPI Act include:
- Administrative fines that could accrue up to 10 million rand
- Up to 10 years of imprisonment
Do I need a PoPI compliance certificate?
There is currently no such thing as PoPIA certification. However, this may change in future. For now, it is up to each organisation to ensure that they have PoPI-compliant protocols in place. If you, as an individual or business feel that your data has been breached or misused, you can report your concerns or complaints to the Information Regulator.