We can help you become POPIA-compliant
South Africa’s comprehensive privacy law known as the Protection of Personal Information Act (POPIA) came into effect on 1 July 2021. POPIA gives individuals the constitutional right to privacy by safeguarding their personal information, while also protecting the flow of information. This is the same privacy standards established by the GDPR in the EU.
According to the TPN Credit Bureau, many South African businesses are still not compliant with the Protection of Personal Information Act.
What is POPIA law?
Essentially, the law sets out the rules and regulations for processing information about individuals and juristic persons. It provides rights to individuals about their personal information and an independent regulator will be enforcing the regulation. Read the official act here.
The Act applies to organisations processing (collecting, using or handling) the personal information of South Africans.
Personal information relates to “an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.” This information about a person includes, but isn’t limited to:
· Name and age
· Race
· Gender/sexual orientation
· Marital status
· National, ethnic, or social origin
· Religion, beliefs, or culture
· Language
· Educational, medical, financial, criminal, or employment history
· ID number
· Email address, contact number
· Physical address
· Location
· Photo, video, voice recordings
· Biometric information
Your rights
You have the right:
· to be notified that your personal information is collected (including access by an unauthorised person)
· to request access to personal information
· to request correction, destruction or deletion of personal information
· to object (on reasonable grounds) to the processing of personal information
· to object processing for the purpose of direct marketing by means of unsolicited electronic communications
· to not be subject to decisions based solely on automated processing of personal information
· to submit a complaint to the Information Regulator
· to initiate civil proceedings for any violation
Data processing conditions
· The responsible party should comply with the conditions for lawful processing.
· Personal information must be processed lawfully and in a reasonable manner without infringing on the privacy of the data subject
· Personal information may only be collected for a specific, explicitly defined purpose, and information may not be retained for longer than necessary to meet that purpose.
· The responsible party should only process the information they need to fulfil the purpose for which it is being used
· Personal information collected should be complete, accurate, up-to-date and not misleading.
· The responsible party must maintain documentation of all processing and take steps to ensure information is provided to the data subject transparently.
· The responsible party must (i) take reasonable technical and organisational measures to secure personal information and (ii) ensure that the operator who processes personal information for the business establishes and maintains these security measures. (iii) notify the regulator and the data subject as soon as reasonably possible in case of a data breach or compromise.
·Data subjects are allowed to access their personal information, including the identity of any third parties it’s shared with. Businesses may also be required to correct, delete or destroy personal information.
And according to POPIA, personal information may only be processed if the data subject consents. unless the individual already has a contract in place with an organisation and where their personal information is required in terms of the contract, or where there is a reason in law for collecting or processing personal information
Consent must be voluntary and should also be taken for a specific purpose. So it shouldn’t be made conditional for using a product, service etc. This means cookie walls aren’t permissible under POPIA.
Records of your clients/customers
When you obtain personal information from your clients or customers, it’s a legal requirement to send this to the Information Regulator. They then check this according to CIPC for those companies still in business.
If you don’t have a website, you can create forms for your customers and suppliers to ensure compliancy. And you must keep a physical copy, signed in your secretarial file, in the event that someone challenges you by going to the Information Regulator. This is where we can help you.
How to POPIA-proof your website
· Provide an opt-in feature for consent whenever users are asked for their personal information, for instance on a contact page.
· To get consent for direct marketing (email, calls, text messages), make a consent request via Form 4 of POPIA.
· Provide users with an easy method to withdraw consent from direct marketing communications, such as an unsubscribe link in an email.
· Make it crystal clear that you are requesting consent for a specific purpose. Consent should not be bundled with other terms and conditions.
· Give consumers a method to exercise their free choice such as by the option to tick a checkbox or click a button.
· Keep records of when and how consent was obtained and for what purpose a user gave consent.
· Provide a feature whereby users can easily withdraw consent.
About cookie consent
POPIA doesn’t expressly regulate the use of cookies, but the definition of ‘unique identifier’ in POPIA includes any information relating to an identifiable person or juristic entity. This means identifiers like cookie IDs or IP addresses can be used to identify a person, so cookies can be subject to POPIA. In this regard, businesses need to advise visitors to their site that they deploy cookies and users must have the option to accept or decline.
CookieYes is a cookie consent solution used by over 1 million websites worldwide for compliance with privacy laws like GDPR, CCPA, LGPD and POPIA.
On your website you need to block third-party scripts from loading until the user gives consent. Keep a record of visitors’ cookie consent and how it was obtained for proof of compliance.
Have an updated privacy policy on your website available at all points of information collection.
Create a custom cookie policy and disclose all the cookies used on your website. Use a cookie consent solution to collect and manage your cookie consent.
Penalties for non-compliance with POPIA
The legislation allows for the following penalties: A fine of between R1 million and R10 million or imprisonment of 1 to 10 years.
The office of the Information Regulator will be responsible for enforcing the legislation. This Information Regulator has extensive powers to investigate and fine responsible parties.
Hills Business Solutions can help you to become fully POPIA-compliant. Please contact us for further information.