What does POPI mean for my business?

The Protection of Personal Information Act 4 of 2013 (POPI) impacts any business which collects, stores, processes or disseminates personal information.

3 Aug 2022 4 min read Corporate & Commercial Alert Article

At a glance

  • The Protection of Personal Information Act (POPI) regulates the collection, storage, use, and dissemination of personal information by public and private bodies.
  • Personal information includes a wide range of data related to individuals, such as their race, gender, contact information, biometric information, opinions, and more.
  • Businesses, including start-ups, must comply with POPI's requirements, which include obtaining consent for data processing, ensuring data accuracy and security, and implementing appropriate policies and procedures. Non-compliance can result in significant penalties, including fines and imprisonment.

What is POPI

POPI regulates the collection, storage, use and dissemination of personal information, and promotes the protection of personal information processed by public and private bodies (referred to as responsible parties under POPI). It introduced certain conditions to establish minimum requirements for the processing of personal information.

What is personal information

Personal information includes, in broad terms, the following:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, belief, culture, language and birth of a person;
  • information relating to the education or the medical, financial, criminal or employment history of a person;
  • the e-mail address, physical address and telephone number of a person;
  • the biometric information of a person;
  • the personal opinions, views or preferences of a person; and
  • the name of a person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Personal information is found in five key areas: market research via direct marketing; online browsing from clients and customers via websites; employment agreements; customer-facing service agreements and third-party supply agreements. Personal information is collected, stored and disseminated all of the time – sending an email, writing notes about an applicant in a job interview, filling in personal information at a security gate or building entrance, throwing documents in the bin – all of this falls within the ambit of POPI.

What this means for start-ups

All businesses that process personal information are considered responsible parties and are required to comply with the provisions of POPI.

What businesses need to do now

Businesses should carry out a review of their company policies and procedures to ascertain the extent to which they comply with POPI’s requirements and, to the extent that they fall short, they should take appropriate steps to remedy such non-compliance. In carrying out such a review, the typical areas of focus are the following:

  • make sure that the business has a POPI policy;
  • make sure that the business has registered its “information officer” responsible for ensuring compliance with POPI and the Promotion of Access to Information Act 2 of 2000 (PAIA), including the development and publication of an access to information manual (i.e. a PAIA manual);
  • check that all existing company policies and procedures are POPI compliant (including any IT policies, market research / direct marketing methods, and online terms and conditions);
  • if any personal information is shared among group companies / suppliers / clients across international borders, ensure that these data transfers are carried out in compliance with the requirements of POPI;
  • ensure that all customer facing documentation and supply agreements are POPI compliant;
  • check that all employment agreements (including application forms, permanent, fixed-term, independent contractor, and consultancy agreements) are POPI compliant; and
  • ensure that any other documents specific to the business which regulate the collection, storage or dissemination of personal information are POPI compliant (including implementing records retention and destruction policies, implementing complaints processes for breach of personal information, and educating staff members).

Obligations on businesses

Businesses must ensure that the necessary consents for the collection, storage and dissemination of personal information are obtained, as and when required. In this regard, POPI prescribes certain minimum requirements for where, how, and why personal information is collected, stored, and transferred. The important steps include: (i) obtaining consent from the persons whose personal information is collected, to the extent required; (ii) restricting any collection, storage and dissemination to what is strictly necessary and the specific and lawful purpose for which collected; (iii) ensuring that records of personal information are not retained any longer than is necessary for achieving the purpose for which the information was collected; (iv) ensuring information accuracy; (v) ensuring that persons are aware what information is stored, the reason for storage, and their obligations and rights as regards such personal information; and (vi) ensuring that the necessary security safeguards to secure the integrity and confidentiality of the personal information collected are in place. Personal information includes so much, that compliance cannot be achieved by one person only – the whole business needs to take responsibility for POPI compliance.

Implications of non-compliance

Non-compliance with the provisions of POPI bears the risk of incurring significant penalties. In terms of section 107 of the act, any person who obstructs the Regulator, fails to comply with an enforcement notice, gives false evidence before the Regulator, or fails to ensure lawful conditions for processing, is liable, on conviction, to a fine or imprisonment for a period not exceeding 10 years or to both a fine and such imprisonment. Any person who fails to notify the Regulator if processing is subject to prior authorisation, breaches the duty of confidentiality, obstructs the execution of a warrant, or fails to comply with an enforcement notice is liable, on conviction, to a fine or imprisonment for a period not exceeding 12 months or to both a fine and such imprisonment. The act also provides for certain administrative fines, which may not exceed R10 million.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.