Digital acceleration and transformation are changing the way businesses operate and interact with potential and existing customers. Many of these interactions occur online and lead to the collection, processing and storing of personal information, which comes with the added challenge of protecting this personal information and how it is being used. South Africa has followed the global community and created legislation called the Protection Of Personal Information Act, also known as POPIA, which has been designed to protect this information and data from misuse. We examine this Act and the importance of compliance in more detail below.
Protection of personal information overview
Globally, there has been a move to ensure the importance of privacy and data protection, especially because more and more social and economic activities are taking place online.
Privacy and the protection of information are just two of the focuses. Other concerns include collecting, using, and sharing personal information with third parties without notice or content from data subjects. According to the United Nations Conference on Trade and Development (UNCTAD), 128 out of 194 countries have put in place legislation to secure data and privacy protection.
Countries in Europe subscribe to the General Data Protection Regulation (GDPR), which sets out requirements for anyone who controls personal data (aka the data controller) to process personal data lawfully. If you do business in Europe or target EU citizens, you will have to comply with these requirements. South Africa’s POPIA is very similar to GDPR and aims to ensure the protection of personal information and privacy.
We have mentioned that POPIA aims to protect personal information and privacy, but how is this done? The purpose of this piece of legislation is to:
- Give effect to the constitutional right to privacy by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at balancing the right to privacy against other rights, particularly the right of access to information.
- Protect important interests, including the free flow of information within the Republic and across international borders.
- Regulate how personal information may be processed by establishing conditions in harmony with international standards that prescribe the minimum threshold requirements for the lawful processing of personal information.
- Provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act.
- Establish voluntary and compulsory measures, including establishing an Information Regulator, to ensure respect for and promote, enforce, and fulfil the rights protected by this Act.
POPIA role players and the eight conditions for the lawful processing of information
In terms of the POPIA, three main role players come into play when examining the processing of information. These include:
- Data Subject – The person who the personal information is about
- Responsible Party – Your organisation, or the organisation that decided how and why to process personal information.
- Operator – the party that processes personal information for the responsible party.
These role players each have different responsibilities that are in line with the processing of data and information. These responsibilities are often referred to as the eight lawful conditions for the processing of data and include:
- Accountability – the responsible party must take accountability to comply with POPIA.
- Processing limitation – the responsible party must have a good reason for processing information e.g. consent.
- Purpose specification – the data subject must know the reason why the responsible party is processing their personal information.
- Further processing limitation – The responsible party must ensure that if personal information is processed again, it must be used for the original purpose that they informed the data subject about.
- Information quality – the responsible party must ensure that the personal information they process is accurate and complete.
- Openness – the responsible party must process personal information in a way that allows the data subject to know what is happening with their personal information.
- Security safeguards – the responsible party must provide appropriate and reasonable security measures for personal information.
- Data Subject participation – the responsible party must communicate with the data subject about processing and must allow the data subject to correct and update their information.
All private and public bodies need to comply with POPIA and the above-mentioned lawful conditions. To ensure compliance, a business will need to make specific changes that will impact how the business collects, processes, stores, and shares personal information relating to the data subject. This includes the following points:
- Appointing an Information Officer who will be responsible for helping your business ensure compliance by developing a POPIA compliance framework. They will also implement and manage measures and procedures that ensure the lawful processing of personal data.
- Update your Promotion of Access to Information Act (PAIA). PAIA requires all companies to have a PAIA manual, however, POPIA has added some specifications and requires that you provide this updated information in your PAIA manual. Your PAIA manual must be POPIA compliant.
- Evaluate current processes and collect, record, store, and disseminate personal information and data.
- Ensure appropriate security and safeguards are in place to protect personal information and secure the confidentiality and integrity of the data. This includes identifying internal and external risks, implementing security measures, and ensuring that they work effectively and continually updating these measures.
- Businesses will need to examine the information already in their possession and ensure that it is accurate and up to date. They will also need to ensure that the information is being utilised in the way it was intended for originally. Records of personal information are also not allowed to be retained any longer than is necessary for achieving the purpose for which the information was collected. All unauthorised information must be deleted.
- Businesses will need to define the purpose of the information gathering and processing to ensure that it is lawful. In this case, the data subject must be notified and informed about the information being utilised and processed.
- It is essential that you have a legal basis (in terms of POPIA) for each processing activity you undertake. Ensure that you obtain the informed consent of the data subject to obtain and process their information.
- Create an easy process for the receipt of data subject access requests related to whether you hold their personal information, what information you possess etc. You also need to ensure that they can correct information, withdraw consent and object to the collection of information.
- In relation to electronic direct marketing activities, you need to ensure that the data subject has given content for the processing of their information. The data subject will need to be given a reasonable opportunity to freely and informally object to the use of their electronic details at the time of obtaining their details and every time communication is sent to them.
- In terms of cross-border transfers, you will need to take steps to determine whether you are entitled to transfer personal information about data subject to a third party in a foreign country.
Why should your business comply with POPIA?
As a business, it is now a legal prerequisite to comply with this Act. Non-compliance penalties with POPIA can significantly impact your business in many ways, including fines ranging up to R10 million for serious offences as well as jail time of up to 10 years.
Securing your data and data processing processes in line with POPIA will ensure that your business is following good practice guidelines. This creates opportunities, both locally and internationally, and reflects positively on your organisation and its reputation. You will also be able to put your customers and potential customers’ minds at ease knowing that their personal information, data and privacy is safeguarded and protected.
We are proud to announce that Adapt IT Telecoms, as of the 1st of July 2021, is POPIA compliant. We have done our due diligence to adapt data processing and management procedures to ensure that all personal information and data is secure and in line with the lawful guidelines mentioned above.
The POPIA compliance date has been extended to 1 February 2022. By this date, companies across South Africa are required to ensure complete compliance with the guidelines and points mentioned above. At Adapt IT Telecoms, we are proud to have gotten ahead of this deadline to ensure our compliance with POPIA and the protection of our customers and potential customers’ personal information and privacy.
Steven Sutherland experienced Adapt IT Divisional Executive, dynamic business leader for their Telecoms Division with a demonstrated 25-year history in the telecommunications and IoT sectors. Strong global marketing, sales, and business development professional with 15 plus years focused experience in the Southern and Rest-of-Africa markets and a unique blend of entrepreneurial spirit combined with a passion for both technology and business.
At Adapt IT Steven is responsible for building and growing the Telecoms Division on top of its industry-proven software competencies including but not limited to Customer Experience and Self Service, NextGen VAS, IoT, FINTECH, and Advanced Analytics and always looking forward to an opportunity to demonstrate the value that their 20 plus years of experience in these disciplines can bring to your business