POPI is good news

"A lot of companies in South Africa have been very lax in how they deal with personal information about their customers, staff and even suppliers," she says. "There has been some complaining about how much it will cost some businesses to implement POPI, but in truth the business practices that POPI promote are long overdue. Local businesses should see it as an opportunity to catch up with international best practices - especially if they have any intention of doing global business."

Van Zyl says the need to protect personal information is clear: "Identity theft is a reality, and the costs to the person whose identity is stolen can be very high. None of us wants to be the one it happens to - so we'd better hope all the companies we deal with implement the principles contained in POPI properly. And we have an obligation to do the same for our own customers and employees."

There is no simple checklist for POPI compliance, says Van Zyl: "It's not a once-off project in terms where of you can tick some boxes," she says. It's about making sure all your business processes that touch personal information are in line with the general principles of the Bill."

A simple rule she says, is "don't collect information you don't really need - and have a clear purpose for every piece of information that is collected. What, for example, is the purpose of asking visitors to an office building or a hotel to give their ID numbers? If you don't clearly need the information for a specific purpose like conducting a credit check, don't ask for it."

Clear policies on information storage

By the same token, information shouldn't be used for a completely different purpose once collected. "You can't collect information for a credit check and then use it for marketing - unless the data subject is aware of the fact that it will also be used for marketing purposes." she says.

Another important principle, she says, is to have clear policies for how information is stored, how long it is stored for and when it gets destroyed. "If an ID number is being written on a piece of paper along with a home address and then filed on the shelf behind the receptionist's desk where anyone can access it, there's a big problem," she says. "Businesses have an obligation to store important personal data safely, and to destroy it when they don't need it anymore - for example when their relationship with the customer ends and there is no other reason in law for you to keep the information."

It is a common fact that a lot of businesses do not ever destroy information in terms of any retention policies. "POPI will aim to change this. It might for example be tricky to justify retention of information that is 20 years old and has not been used in the last 10 years. Retaining that information just creates risk for the business that the information may be lost.

Finally, she says, companies who collect personal information should be careful about how and when they share that information with others. If the data subject would be surprised to find out that the information was shared with the third party, you should think twice.