The commencement date of the Protection of Personal Information Act 4 (POPIA) of 2013 is expected to be announced during the course of 2017, following which organisations will have 12 months to become POPI compliant or “regulator ready”. Draft guidelines have been released for industry comment and can be read by clicking here.

Based on this draft, the DMASA (Direct Marketing Association of SA) is concerned that the new proposed POPI Act will significantly affect business as we know it in the direct marketing sector. The proposed act in its current form is likely to lead to significant losses, not only in revenue, but also in jobs. The DMASA has established an online survey for input to make a firm representation to the regulator as to why the new POPI Act needs to be revised.

The following have been indicated as steps that organisations can start taking towards the transition of being “regulator ready” are: Privacy training and awareness; Deployment of a governance and data privacy target operating model for sustainable data privacy compliance; Privacy policy development and organisation policy review; Incident management plan to be developed and in place and Personal information inventory.

There are various efficient and cost-effective “quick wins” which organisations could initiate and implement to commence their journey to being “regulator ready”. These quick wins should ideally be initiated within an organisation’s high-risk areas as far as personal information is concerned. (2)

It’s important to note that POPI is not about jail time and fines. The often quoted R10m and/or 10 years imprisonment provision is a maximum penalty and only applies if you:

  • hinder, obstruct or unlawfully influence the Regulator
  • fail to comply with an Enforcement Notice
  • give false evidence
  • seriously or persistently, unlawfully process account numbers where it is likely to cause substantial damage or distress
  • without justification or consent acquire account numbers, sell them or try to sell them
    • ‘Account number’ above refers a code assigned by a (financial) institution that allows someone to access funds or credit facilities

The one-year imprisonment or fine provision is again a maximum penalty and only applies if you:

  • process information that carries a particular risk to the Data Subject which requires prior approval AND you fail to get approval from the Regulator
  • work for or on behalf of the Regulator and then breach confidentiality
  • fail to reasonably cooperate with the execution a warrant
  • falsely declare compliance with an Information Order issued on your organisation by the Regulator
  • fail to comply with a summons to give evidence before the Regulator.  (3)

 

Retain records only as long as necessary; POPI requires that ‘records of personal information must not be kept any longer than is necessary for achieving the purpose for which the information was collected…” Section 14(1). Realistically, this may be one of the most difficult provisions to comply with as it requires a very clear picture of all purposes for which a piece of information is kept and a thorough understanding of business processes.

There are some exceptions to this rule, where the information may be kept for longer; i.e. When required by law (guide detailing retention periods compiled by the South African Institute of Chartered Accountants is a good starting point (4)) ; Reasonably required (what is reasonable will depend on the circumstances in each case which may lead to some uncertainty); Required by contract (an example would be your service contract with a customer might state that you are required to provide your customer with important safety updates regarding your product. In order to perform under the contract you would, therefore, need their contact information) and lastly, Consent (which must be specific, voluntary and informed).

Contact IDATA for further information.

 

http://www.popi-compliance.co.za/resources/get-informed/ (1)

http://www.itweb.co.za/index.php?option=com_content&view=article&id=165237:Viewpoint-Getting-regulator-ready-for-POPIA&catid=69  (2)

https://www.popi-compliance.co.za/fear-uncertainty-doubt/ (3)

http://www.mdacc.co.za/wp-content/uploads/2013/11/Retention-of-documents-updated-October-2013.pdf (4)

Share This

Share This

Share this post with your friends!

Share This

Share this post with your friends!