POPI Compliance | Five effective steps your business can take right now.

This five-step checklist should help you ensure compliance with the new Protection of Personal Information Act that is now in force. 

The Protection of Personal Information Act, No. 4 of 2013 (POPI Act) is now in operation, effective since 1 July 2020, following a lengthy process which started in 2013. And it couldn’t be more necessary for personal information to be protected as Covid-19 ramps up our digital connectedness more and more. 

While the act is now a legal obligation, penalties for non-compliance will only be enforced from July 2021. But this does not mean you should sit back and leave putting the essential processes in place until later.

If your business has not already ensured compliance, you may be wondering what your obligations are exactly?

Legal experts pop.law put it quite simply stating, “The Act requires that all personal information needs to be processed lawfully and in a reasonable manner. This means that you are not required to have iron-clad foolproof processes in place, but that you must be able to defend your actions if called upon to do so.”  

“In a nutshell, you need to position your business to be able to say ‘We did everything that could have been reasonably expected in the circumstances to comply with our obligations’. It will not be good enough to say that you weren’t aware of your obligations or that it wasn’t your fault that personal information was abused.”

Pop Law explains that processing information “lawfully and reasonably” requires that it be collected for a “specific, explicitly defined and lawful purpose. And you must communicate all of these to the person whose information you are collecting.”

“You cannot collect email addresses from your customers for the purpose of issuing their invoices, and then use those email addresses to market your new business products to them, or worse, sell that information to a third party for that other business to contact your customers.” 

In order to so, you must disclose your intentions at the point of collecting the information, and most importantly that the person sharing the information consents to the use of their information for that specific reason. 

Pop Law states, “As long as people know and understand what they are signing up for, you can continue your business with much less stress. Put differently, if you tell your customers that you would like to send them information about upcoming products or partner services, and they provide their consent for you to do this, you’re pretty much covered.”

That said, you must give people the opportunity to “opt-in” to these communications and sharing of their information.

Step 1: Audit 
Do an audit of all of the existing information being processed by your business and why your business is collecting it. You also need to consider how it is being stored. 

“Review agreements you have with others, especially looking at what the third party’s responsibilities are regarding the information you share with them.”

Step 2: Clean Up 

Remove any information that is no longer required by the business, including customers who are no longer using your services, but especially customers who have not consented to be on your database.

 Step 3: Write up procedures  

Put in place “best practice” procedures for how you want to move forward and for how long you will keep your customer’s information.  

Step 4: Communicate

Communicate your processes to your users. Draft the relevant documents that your customers will need for knowing what’s happening to their information. These should include: 

  • Consent forms
  • Privacy policies
  • Cookies notices
  • CCTV notices 

Step 5: Train your people 

Train everyone in your organisation to recognise when they are dealing with personal information, understand what their own responsibilities are within your business and to know who to contact if they have questions or concerns about your processes and procedures. 

“Even the most robust compliance plan will fail if the people on the ground are not equipped to implement it. Training and education can never be a once-off exercise, and the business should have some idea of how often and in what way constant training needs to take place,” advises pop.law. 

Article courtesy of Lexis Digest