The Protection of Personal Information Act came into effect on 01 July 2021. Combined with the Promotion of Access to Information Act, in our world they are referred to as POPIA. Tarsus Technology Group recently hosted a webinar titled “Understanding POPIA” in which we shared our experiences of POPIA and how it affects a business.
What does it mean to protect data privacy?
Why personal information must be protected
What does it mean to protect data privacy?
What are the rules?
The eight POPIA conditions
POPIA vs GDPR
What are the consequences of not being POPIA compliant?
What are the quick wins for organisations that are lagging??
Albert Gerber, Chief audit executive, Alviva Holdings and Senzo Mbhele, Head of employee experience and innovation marketing, Tarsus Technology Group.
Failure to comply with the requirements of the POPI Act could have dire consequences.
It’s true to say that this is a complicated subject and that most organisations have neither the internal expertise nor the time or budget to get a full grasp on the topic.
For those who were unable to watch the webinar here is an overview of the discussion and how the subject of the requirements of the Act was unpacked.
Data has become the single biggest asset for any company. When a security breach takes place, it’s not just an internal problem – attackers are after the personal information that organisations store. Data breaches regularly expose millions of personal data records which criminals use to commit fraud or identity theft.
POPIA gives individuals – referred to as data subjects – the right to know what’s happening with their personal information and impose stringent fines on organisations that fail to protect data privacy
It means handling personal data with respect for confidentiality and anonymity. This applies to all data related to individuals, such as their names, birth dates, addresses, identity numbers, financial data and medical records.
Failing to ensure data privacy can have negative repercussions for organisations. Even a single leak of personal data can have a serious impact on an organisation's financial well-being and its reputation, as investor and customer trust can be irreparably damaged.
To protect data privacy, organisations need to understand what data they have, where its located, who can access it, how it is secured, and how it will be destroyed when the organisation no longer needs it.
POPIA is not rules-based, which makes it tricky as it is not possible to simply do a tick box exercise and expect that all requirements have been met.
The key to understanding the Act is that it is based on reasonableness. Its purpose is to protect people’s personal information, to prevent their identity and money from being stolen, and to protect their privacy
For organisations to ensure that they lawfully process information, where process refers to the ‘cradle to grave’ handling of information, they need to comply with eight POPIA conditions:
1: Accountability
All organisations must appoint an information officer who will be responsible for ensuring that information is protected, and controls are in place to enforce protection.
2: Processing limitation
The information must be collected in a reasonable manner, with the consent of the individual, and the amount of information must be relevant and not excessive.
3: Purpose specification
Personal information must be collected for a specific purpose and the data subject must be made aware of the purpose for which it was collected.
4. Further processing limitation
Personal information cannot be passed on to a third party, such as a medical aid or retirement fund, for further use without the consent of the data subject.
5: Information quality
The personal information that has been collected must be complete, accurate, and up to date.
6: Openness
The organisation must be open about the collection of personal information and must ensure that the data subject has been made aware that their personal information is going to be collected.
7: Security safeguards
Security safeguards must be put in place to ensure the integrity and confidentiality of the information.
8: Data subject participation
Data subjects have the right to request whether or not an organisation holds personal information about them and to request a description of the information.
POPIA ensures that South African data laws are fairly aligned with international requirements.
POPIA is comparable to the European Union’s General Data Protection Regulation (GDPR) and shares many of the same principles, granting citizens specific rights over their personal information, requirements for data processing, defining personal information for end-user protection, fines for privacy violations, and the formation of the Information Regulator (SAIR) to enforce and monitor the laws.
The consequences of non-compliance are significant. POPIA imposes various criminal offenses for non-compliance, including imprisonment not exceeding 10 years, or a fine not exceeding R10 million – or both.
In addition to penalties, the reputational damage is huge and the effect on the organisation can be devastating.
To get the full story, watch the POPIA webinar here.
For further information on POPIA, visit the Protection Of Private Information Act, here.
.png?width=40&height=40&name=XTwitter%20(1).png){kind=small}
