If you are running a business, you may well want to be aware of everything that may affect it. This includes new competitors, the economic environment, and new regulations that your business has to comply with. One of the policies that you need to be aware of is the POPI Act, which seeks to protect the personal information of consumers and employees so that they do not become victims of identity theft.
What does the Popi Act stand for?
POPI stands for Protection of Personal Information Act, a policy that aims to bring South Africa in line with international standards of protection of personal information. It sets some conditions for responsible parties to process personal information responsibly.
The Act says:
“1) The POPI Act applies to the processing of personal information –
- a) Entered in a record by or for a responsible party by making use of automated or non-automated means.
Providing the recorded personal information is processed by non-
automated means, it must form part of a filing system or is intended to form a part thereof; and b) The responsible party is –
- Domiciled in the Republic; or
- Not domiciled in the Republic, but makes use of automated or non-automated means in the Republic, unless those means are used only to forward personal
information through the Republic.
2) a) This Act applies, subject to paragraph (b), to the exclusion of any provision of any other legislation that regulates the processing of personal information and that is materially
inconsistent with an object, or a specific provision, of this Act.”
What is the POPI Act timeline?
POPI came into effect on 1 July 2020, but organisations had a 12 months grace period to be POPI compliant. The POPI Act is expected to be regulated by a new Information Regulator while within your company, your Information Officer will be the key person ensuring that you’re compliant.
Does the Popi Act stop businesses from processing data?
No. The POPI Act does not stop you from processing data. You can still process information but you are expected to comply with the POPI Act to the letter.
Exclusions of the POPI Act:
There are some exclusions where POPI does not apply. They include:
- Processing any personal information that has been de-identified.
- Sending holiday cards.
- When the SAPS or Hawks are investigating a crime.
- Or, in a situation where journalists, authors, or artists express their opinion.
The act says:
“1) This Act does not apply to the processing of personal information –
- a) In the course of a purely personal or household activity;
- b) That has been de-identified to the extent that it cannot be re-identified again;
- c) By or on behalf of a public body –
- Which involves national security, including activities that are aimed at
assisting in the identification of the financing of terrorists and related activities, defence or public safety; or
- The purpose of which is the prevention, detection including assistance in the identification of the proceeds of unlawful activities and the combating of money
laundering activities, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent
that adequate safeguards have been established in legislation for the protection of such personal information;
- d) By the Cabinet and its committees or the Executive Council of a province; or
- e) Relating to the judicial functions of a court.”
What happens if I don’t comply with the POPI ACT?
Failure to comply with the POPI Act may lead to reputational damage, heavy fines, and imprisonment, or even worse – paying out damages claims to data subjects.
MGT Accounting and Consulting Inc’s is committed to adhering to the requirements of the POPI ACT. As an accounting firm, we are guided by the following principles:
- To give our clients the constitutional right to privacy, by safeguarding their personal information when processing information.
- To regulate the manner in which personal information may be processed or shared, and establish conditions, in line with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
- To be transparent all the time and follow procedures that govern the processing of personal information;
- To comply with the applicable legal and regulatory requirements regarding the processing of personal information;
- To collect personal information through lawful and fair means and to process personal information in a manner compatible with the purpose for which it was collected;