Ask yourself these simple questions….
- Does my organisation collect personal information on any of its staff, customers or suppliers?
- If we collect personal information, do we know for what purpose?
- Do we know that by collecting this information we are opening up the organisation to having to comply with the data governance requirements?
- If we are collecting this information, do we know how we are ensuring the integrity of this information?
- Do we share any of this information with any other organisations either through explicit knowledge or inadvertent interaction?
PROTECTION OF PERSONAL INFORMATION COMPLIANCE
POPI was conceived to give effect to the right to privacy by introducing measures and requirements to ensure and enforce the safeguarding or protection of personal information.
It also balances the right to privacy against other rights, such as the right to information or data. This is especially vital to ensure the free flow of information within and across the borders of South Africa.
One of the core purposes of South Africa updating our Data Protection legislation is to align ourselves with the rest of the world, and to ensure that our laws around the protection of personal information – and data protection in general – are up to global standard.
POPI has not yet been enacted which makes it difficult to know what the final law entails in detail, and the impact it will have on your business. However, there are basic outlines and there is an understanding of what POPI will require, and how organizations should be preparing for POPI.
Highlights and Implications:
- The role of the Information Officer in the organisation will become increasingly important, and hold increased responsibility.
- Organisations will have to put a Privacy Strategy and Data Protection Policy in place as a matter of urgency, backed by secure and reliable data protection technologies.
- Hefty personal liability financial penalties and jail terms for non-compliance will be meted out to executives of the organisation.
WHAT IS POPI?
THE PROTECTION OF PERSONAL INFORMATION
POPI ensures that all South Africans have their constitutional right to the privacy of their personal information enforced.
The Protection of Personal information Bill (POPI) will align South Africa with international data protection laws and best practices, the bill will also protect personal information collected and processed by all private and public organisations.
It requires all organisations to comply with specific data protection practices in order to ensure that South African’s data is effectively protected – and that these requirements are legally binding.
Personal information privacy presents a growing challenge as organisations must adapt and comply with complex international laws on how they handle personal information. The Bill requires organisations to establish appropriate policies and procedures to protect the various forms of data that are part of their business operations.
WHAT IS THE DEFINITION OF ‘PERSONAL INFORMATION’ – WHAT DATA NEEDS TO BE PROTECTED?
Personal Information is: Recorded information about an identifiable individual that may include his or her name, address, email address, phone number, race, nationality, ethnicity, origin, colour, religious or political beliefs or associations age, sex, sexual orientation, marital status, family status, identifying number, code, symbol, finger prints, blood type, inherited characteristics, health care history including information on physical/mental disability, educational, financial, criminal, employment history, others’ opinion about the individual, and personal views except those about other individuals.
The POPI legislation will apply only to Personal Information that is processed.
Processing includes collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, use, dissemination and merging.
WHO DOES POPI APPLY TO?
If you process personal information, as in the above description, or if you outsource your data to third parties, your organisation will have to comply with POPI. All organisations have personal information about shareholders, employees, customers, suppliers so PPPI affects every business, and every area of your business.
WHY SHOULD I COMPLY?
To grow the organisation
How do you grow an organisation? You focus on protecting your customers and your employees. If you are looking after these two groups of people, then you are going to flourish and do well as a business. You also need to win the trust of your customers in particular. If you can show them that you are protecting their personal information, they will trust you more, which will result in them wanting to do more business with you. And more business means you will grow and prosper.
On the one hand, privacy has nothing to do with legal compliance and everything to do with ensuring that you are doing what you should be doing in the eyes of your customers. You have a serious problem if your customers, or your employees for that matter, don’t trust you.
Avoid legal problems, difficulties or disputes
On the other hand, you want to avoid legal problems, difficulties, and disputes. This is the legal compliance aspect of your privacy objectives.
You want to avoid things like fines and regulatory investigations. Disputes in the form of litigation are always costly, time-consuming and are usually not in anyone’s interests”
“Institutions adopting the principles of POPI will not only position themselves in a favourable light to prospective foreign investors with similar legislation, but also support their business endeavours beyond South Africa’s borders and help them gain client trust. Consequently, awareness of privacy requirements will improve, helping organisations to comply with required law – while gaining a competitive advantage.”