The Essentials for the South African Protection of Personal Information Act (POPIA) Compliance

The South African Protection of Personal Information Act (POPIA) is the most comprehensive data protection law in South Africa. Its commencement date is June 30, 2021, after a one-year grace period.

The POPI Act shares many similarities with the EU's General Data Protection Regulation (GDPR). It relies on the opt-in principle, which means that businesses must not process personal data without a legal basis, most often consent.

In this article, we will get into the details of the law, explain the basic requirements, and give you an idea of what you need to do to comply with it.

What is the South African Protection of Personal Information Act (POPIA)?

The South African Protection of Personal Information Act (POPIA) is the data protection law of South Africa.

It was passed on July 1, 2020, but came into effect one year later. It defines what personal data is and prescribes duties for controllers and processors. The duties involve being transparent to users about data practices, having a lawful basis for processing, and implementing appropriate safeguards to secure data in the organization and prevent data breaches.

It also grants data subjects rights to their data privacy.

Violations lead to penalties imposed by the information regulator.

Does the POPI Act apply to my business?

The POPIA applies to persons and companies that process personal data that are:

• Based within South Africa, or
• Based worldwide, but uses automated or non-automated means in South Africa.

It is the same extraterritorial applicability standard present in many other data protection laws globally. However, the POPIA differs from other laws because it does not cover businesses that just offer products or services to South African residents without automated or non-automated tools in South Africa.

What is personal data under the POPIA?

Personal data under POPIA is any information relating to an identifiable, living, natural person and, where applicable, an identifiable, existing juristic person.

South Africa's Protection of Personal Information Act also lists a number of personal information categories to clarify that they are considered to be personal information. That includes data on race, age, mental health, sexual orientation, marital status, social origin, etc., as well as biometric data, education data, opinions, and others.

However, the definition is not limited to that list. Anything that identifies a person is personal information.

Basic Principles for POPIA Compliance

The POPIA relies on a number of principles that determine the rights and duties under the Act. These include:

• Accountability means taking responsibility for the processing.
• Processing limitations mean that you need a legal basis to process data and should process only the minimum amount of data.
• Purpose Specification, meaning that you must know why you process data and that you need to delete it once you don't need it anymore.
• Further processing limitations mean that you can process the collected data only for the intended purposes. You cannot collect data to provide services and then use it for marketing.
• Information quality, meaning that you have to ensure that your data is accurate;
• Openness means that you have to be transparent with users. The most common way to be open to them is by providing a comprehensive privacy policy and notifying them of data collection.
• Security safeguards, meaning that you must ensure that the data you process is safe. You have to do everything you can to prevent data breaches and save yourself from reputational damage.
• Data Subject Participation, meaning that you have to honor data subject requests
  

What are the responsible parties and operators?

Responsible parties are the persons or entities that make decisions about data processing. They decide that they need to process personal information, the methods, the third parties they would use, and so on. According to many laws, they are called data controllers.

Operators are the persons or entities that process the data on behalf of the responsible parties. In many laws around the world, they are called data processors.

What are the POPIA data subject rights?

POPIA data subject rights include:

• Right to know of the processing
• Right to access the data
• Right to erasure
• Right to correct the information
• Right to object

When you receive a data subject request, you are obliged to respond to it within a reasonable time. There is no fixed time frame, like in many other data protection laws.

Do we need to collect consent to comply with the South African POPIA?

You must collect consent for personal information processing under the South African POPIA unless you have another legal basis for it.

The consent must be:

• Voluntary, meaning that the user shall give you consent free of any conditioning and by their unambiguous action;
• Informed, which means that you must inform the user of the data processing before obtaining consent; and
• Specific, meaning that you need specific consent for each specific processing purpose.

When it comes to the use of website cookies, you'll always need to obtain explicit consent.

What is a POPIA-compliant privacy policy?

You are obliged to publish a privacy policy on your website. It must include at least the following:

• What information is being collected, and where is it coming from, if not directly from you?
• Who is collecting the information, including the name and address of the company or organization?
• Why is the information being collected?
• Whether giving this information is optional or required,
• What happens if you don't provide the information?
• Any specific laws that allow or require this information to be collected
• If the information will be sent to another country or international organization, and how well that place protects your information,
• Third parties that might get to see this information:
• Data subjects have the right information;
• How to complain if you think your information is being misused, including how to contact the Information Regulator
  

Can we transfer personal data outside of South Africa?

You can transfer personal information outside of South Africa freely as long as the third country where you transfer the data provides adequate data protection.

This includes regions like the European Union and countries with similar laws. In other cases, you can rely on Binding Corporate Rules.

What are the POPIA requirements for data breach notifications?

POPIA requires you to notify the Information Regulator and data subjects of data breaches. If you are the operator, you must notify the responsible party, too.

The notification must include:

• A description of the possible consequences;
• A description of the measures that the responsible party intends to take or has taken;
• a recommendation regarding the actions the data subject should take; and
• If known to the responsible party, the identity of the unauthorized person who may have accessed the personal information

In addition, you must:

• Identify all the likely risks from both inside and outside the organization that could affect the personal information you hold or control.
• Set up and keep in place suitable protections against those identified risks;
• Regularly check to make sure those protections are working as they should, and
• Keep updating these protections to deal with new risks or to fix any weaknesses in the protections you already have in place.
  

Do you need a DPO to comply with the POPIA?

Under POPIA, the Data Protection Officer is called an Information Officer, and yes, you need to appoint one to ensure that your organization is compliant with the law.

The duties of the Information Officer involve:

• Encourage compliance within the organization.
• Conduct a Data Protection Impact Assessment, where necessary.
• Handle data subject requests.
• Ensure compliance in any other way, including training employees, providing advice on data protection, etc.

The Information Officer must be registered with the Information Regulator.

Penalties for POPIA violations

The Information Regulator may impose monetary fines in the case of non-compliance with POPIA. Some violations may also lead to 10 years of imprisonment.

The monetary fine maximum by the Information Regulator is set at ZAR 10 million (around EUR 500,000 or $520,000).

Imprisonment of up to 10 years is possible in the case of obstruction of the Information Regulator, false witness claims, non-compliance with the Regulator's notices, and similar offenses.

Imprisonment of up to 12 months is an option in the case of a breach of confidentiality, failure to notify the data subject of the processing obstruction or execution of a warrant, and others.

POPI Act Compliance with Secure Privacy

You can comply with the South African POPIA cookie consent and privacy policy requirements with Secure Privacy. Our consent management platform is easily adjusted to most of the data protection laws worldwide.