Compliance with the Protection of Personal Information Act (“POPIA”) is now mandatory in South Africa. POPIA provides for a one-year transition period, allowing impacted organizations until July 1, 2021, to comply. POPIA regulates the processing of personal information where “personal information” is any information that relates to an identifiable, living natural person or legal entity, and “processing” is collecting, storing, using, disseminating, or destroying that information. Most organizations in South Africa that have personal information in their possession will likely be subject to POPIA.
What Are the Main Roles Designated in POPIA?
POPIA designates four main roles:
- Data Subject: the individual to whom the personal information relates.
- Responsible Party: the party that determines “why” and “how” personal information is processed.
- Operator: the party who processes personal information on behalf of a responsible party.
- Information Regulator: the body that monitors compliance with and enforces POPIA.
Does My Organization Need to Comply with POPIA?
If your organization alone, or in conjunction with others, determines the purpose and means for processing personal information, then there are two key questions to determine whether POPIA applies to your organization. POPIA focuses on the location of the processing rather than the location of the data subject. Your organization must comply with POPIA if you answer “yes” to one of the below questions, unless one of the listed exceptions in Section 6 of POPIA applies:
- Is your organization domiciled in South Africa (in other words, is your organization based in South Africa)?
- If your organization is not located in South Africa, does it process personal information within South Africa?
POPIA’s Eight Conditions for Lawful Processing
For your organization to lawfully process personal information, you are required to meet POPIA’s eight conditions:
- Accountability: As a responsible party, you are obligated to ensure that your organization is fully compliant with POPIA and its conditions for lawful processing.
- Processing Limitation: Your organization may only process personal information fairly and lawfully and in some cases, with the consent of the data subject concerned.
- Purpose Specification: Your organization can only collect personal information for a specific, defined, and legitimate purpose.
- Further Processing Limitation: If your organization processes personal information for a secondary purpose, this secondary purpose must be compatible with the initial purpose of collection.
- Information Quality: Your organization is responsible for keeping the personal information it processes complete, accurate, and up to date.
- Openness: Your organization must be transparent about its privacy practices and inform data subjects when, how, and why their personal information is being collected and processed.
- Security Safeguards: Your organization must implement and maintain technical and organizational measures to safeguard the integrity and confidentiality of the personal information you process.
- Data Subject Participation: Your organization must respect and respond to the various rights granted to data subjects, such as the right of a data subject to request access to their personal information, or to request that their personal information be deleted.
Organizational Steps to Compliance
Is your organization ready for POPIA? VeraSafe’s free POPIA Compliance Checklist can help your organization come to grips with POPIA’s requirements and the practical steps that you need to take to achieve compliance. We encourage you to review POPIA as a whole and to use VeraSafe’s POPIA Compliance Checklist to help you identify compliance gaps that you will need to urgently prioritize. POPIA is a complex law and every organization’s approach to POPIA compliance will be unique. This POPIA Compliance Checklist is by no means a substitute for sound legal compliance advice to address specific privacy issues within your organization.
Steps to POPIA Compliance
VeraSafe has a comprehensive POPIA Compliance Program, which links your organization to our specialized South African privacy attorneys, information security experts, and project managers, providing you with an internationally-experienced, cross-functional team. VeraSafe has a proven track record of embracing the complex intersection of law and IT across a range of jurisdictions, which differentiates us from a more traditional South African firm.