POPI is designed to protect personal information processed by public and private bodies. 'Personal Information' is that data which alone, or in combination allows a person to be uniquely identified, and any information that may tell the reader something about someone. The Act came into effect on 1 July 2020, with a 12-month grace period. From 1 July 2021, non-compliance will come with substantial penalties, including a fine or imprisonment of between R1m and R10m or one to 10 years in jail; and financial compensation for damages suffered by data subjects.
In a world that has already been forced to digitise faster than ever before, concentrating on another area of restructuring may appear overwhelming. For this reason, local provider of e-signature solutions in South Africa, Impression Signatures, has embarked on a campaign to demystify POPI, making reliable information available to businesses of all sizes, at no cost. This campaign drives compliance by explaining not only why it’s important, but the terms, requirements, and obligations created by the Act too.
POPI is quite clear, the burden of proof that consent was obtained rests with the ‘responsible party’; the entity or person responsible for gathering the information. This means that it is up to the business to prove that they got consent from the customer, and not the customer's responsibility to prove that they gave consent. It is expensive because systems that were not planned or designed with privacy in mind struggle to retrofit changes into legacy models and processes. In some cases, everything needs to be re-engineered.
If the data is retained for any reason it must be safeguarded. This includes securing storage of this data so that unauthorised third parties do not have consent to access this data, and that people within the organisation, who are not part of the legitimate processing of that data do not have access either. These data management activities should also be provable, so a company should be able to prove that customer data is safe.
Accessibility is key, and many small businesses simply cannot afford expensive lawyers, consultants, or data consulting experts to help them re-engineer their processes.
\Much like the General Data Protection Regulation (GDPR), POPI comprises three main principles: who can have access to data; what data can they have access to; and how can they use this data? The Impression POPI Campaign seeks to explain the definitions in a more palatable format while giving businesses confidence in their approach to compliance.
With this information at hand, organisations are empowered to take a risk-based approach to compliance. Operating in accordance with the Act must be accessible to all. The focus should be on affordable solutions and reliable guidance that helps businesses embrace a cost-based, business-centric approach to applying POPI. Businesses must understand their appetite for risk, and the level of data security that each individual contract requires.
