The Protection of Personal Information Act (POPI Act) has flooded our social media channels, news outlets, and emails inboxes over the past week, since its inception on the 1st of July 2021. It has left many asking themselves questions, auditing their privacy settings, and ultimately contemplating why it’s taken South Africa by storm.
Here are 5 key questions and answers that businesses and individuals need to know with regards to the new POPIA legislation:
1. Who has to comply with the POPI Act and by when?
The POPI Act applies to every single organisation operating in South Africa or any individual who processes personal information within the country. The Act protects any and all information that can be identifiable and related back to an individual or organisation.
The POPI Act actually was approved and came into effect on 1st of July 2020 with organisations having until the 30th of June 2021 to become compliant – explaining the Act’s sudden surge in media.
2. How and what does an organisation need to do to become compliant?
Each organisation, small or large will need to name an official POPI Act officer whose role will be to follow, ensure full compliance. The officer will also need to declare how the organisation will become compliant, how the processes will be executed, and how their compliance will be monitored.
Highlighting 3 key points in the process:
- Information Security Management – ensuring the protection of the confidentiality, integrity and availability of information.
- Privacy – controlling what the organisation uses personal information for.
- Records Management – what information the organisation needs and for how long this data will be kept.
Furthermore, the organisation as a whole will need to audit and assess whether their business processes aligns with the POPI Act – ensuring that all internal and external processes comply with the Act.
3. How long does it take for organisations to become compliant?
The POPI Act will have an impact on all organisations as they hold the personal information of customers, employees, service providers, suppliers and members of the public. Every business process that relies on this personal information has to be aligned with the Act – this will require continuous monitoring and maintenance as new information is constantly flowing in and out of the organisation.
4. What are the consequences if an organisation does not comply?
Organisations who do not comply with the POPI Act by the 1st of July 2021 stand the risk of being investigated by an Information Regulator and can be fined heavily – while dealing with months of business disruptions and massive public image damages.
5. Besides the legal reasons why is the POPI Act so important?
It’s for the people. By the people. Research shows that brand image, confidence and loyalty is directly related to the manner in which companies treat, protect and care about their customers.