POPIA empowers citizens with enforceable rights concerning their personal information, such as the right to access, right to correction, right to destruction and establishes eight minimum requirements for lawful processing.
POPIA only concerns organisations that are domiciled in and/or process data within South Africa and protects both individuals and companies.
Over and above severe reputational damage for companies who are found non-compliant, the Information Regulator, an independent body will serve as lead enforcer of the law. Those who fail to comply with POPIA, may incur penalties of up to 10 million Rand and/or up to 10 years imprisonment. In addition, POPIA offers data subjects the ability to institute civil action for damages against organisations, irrespective of the organisations’ intent. These class actions can be facilitated by the Information Regulator without the legal heavy lifting of a typical class action, which may make them probable.
Defining Key Terms of POPIA
Responsible party: A public or private body that determines the purpose and means for processing personal information of a data subject.
Operator: A party that processes personal information on behalf of the responsible party.
Data subject: Any party to whom the personal information relates.
POPIA refers to the “personal information” of a data subject, this includes, but is not limited to, information about race, sex, education, marital status, criminal history, employment history. POPIA designates a separate category for “special personal information,” such as religious beliefs, trade union memberships or sexual orientation, and has special regulations for processing the personal information of a child.
Under POPIA, data subjects are granted the right to be notified when and how data is being collected, the right to access of said data, and the right to correct or delete data.
POPIA’s eight conditions, for the lawful processing of data, are:
1. Accountability;
2. Processing limitation;
3. Purpose specification;
4. Further processing limitation;
5. Information quality
6. Openness
7. Security safeguards
8. Data subject participation
Of these eight conditions, it is important to highlight security safeguarding as perhaps the riskiest for organisations, as it speaks to the ability to shield against data breaches. Under Chapter 3, Section 19 of POPIA, responsible parties must take proper measures to prevent “(a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information” (even if nothing is done with that data). If there are “reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person,” responsible parties are required to notify the Information Regulator and data subjects “as soon as reasonably possible after the discovery of the compromise.”
Under POPIA, responsible parties can still be considered compliant if they fall victim to a data breach, as long as they can prove they fulfilled all the right steps under POPIA to avert it. Therefore, it’s important to not cut corners on your organisation’s journey to compliance, as successful compliance will help prevent both data loss and legal ramifications.
Essentially, POPIA empowers data subject rights by holding organisations accountable for the responsible safekeeping of their personal information. The biggest obstacle is that companies are hoping for shortcuts, and there are really no shortcuts, you’ve got to go through a multi-step process, and the first step is finding out what information you have and how you process it. That’s a huge challenge in itself.
So what’s a good starting point for organisations? “Definitely try and get some guidance, you can streamline some of the processes by using reputable vendors like SOLVE to manage aspects of your data.
Over the next few weeks, we will explore the ins and outs of POPIA either through our blogs or our daily posts in order to debunk common misconceptions and offer tips to organisations.
Comments