South Africa 'woke up' to POPIA (the Protection of Personal Information Act) in a big way on 1 July 2021 - mostly because of the many, many emails and social media messages that did the rounds that day, claiming that this new law requires consent for direct marketing or to be part of a WhatsApp / Facebook group, and that a failure to unsubscribe will imply that such consent has been given going forward.
Well, not quite. POPIA is quite specific and strict when it comes to the issue of consent (in general) and consent for direct marketing (specifically). Whilst the Act does not apply retrospectively, the continuous processing of personal information obtained historically, is subject to the Act and its enforcement provisions as from 1 July 2021.
However, POPIA does not apply to all activities and communications involving personal information.
Employers and recruitment agencies as a general practice ask for a job applicant’s current (or past) payslip when they apply for a new position. This has always been a contentious issue, but most job applicants disclose it if a prospective employer insists upon it, for fear of been side-lined if they challenge this request.
With the advent of POPIA, it seems that the shoe will be on the other foot, since such information constitutes personal information and at a minimum, the eight conditions for lawful processing must be complied with by the employer as the responsible party if it wishes to collect and use this information of a job applicant as the data subject.
The eight processing principles / conditions include –
In South Africa, the Information Officer (IO) is the person within an organisation (as the responsible party) who is responsible for compliance with PAIA (Promotion of Access to Information Act) and now also POPIA.
Who is the Information Officer?
This position is automatically assigned to the head of the organisation (such as the CEO, or a partner, or a sole proprietor in the private sector), who will be the Information Officer by default. There is however provision for designating and officially appointing someone in this position and for the appointment of Deputy Information officers to whom such powers and responsibilities can be delegated. The accountability however will remain with the Head of the organisation, regardless of a delegation of responsibilities.
It is also interesting to note that, different from the GDPR, POPIA does not make provision for the outsourcing of this position – i.e. appointing or contracting an external Information Officer. The position of...
A large proportion of an organisations’ IP typically resides in email. Email is also the main mechanism for a host of cyber-attacks, including malware, phishing and social engineering.
POPIA compliance and data protection in relation to the use of emails, relate to technology as well as how the system is used.
On the one hand it is crucial to ensure email data security and data leak prevention solutions are put into place.
In addition, users (such as employees) should be educated in terms of meeting POPIA requirements when they send, forward or reply to emails; and also how they react upon receiving them.
Developing a compliant email strategy requires an organisation to firstly identify and map the process of email data flow as well as the various components. Then, it needs to demonstrate that this data is protected and controlled and that the organisation is aware of all of the data touch points and storage points and who has access to it.
People / Users
POPIA compliance is complicated. It is not something that can quickly be tackled and completed within a week, or even a few weeks prior to the compliance deadline of 1 July 2021. Such a thing as a 'POPI file' filled with templates and completed checklists sitting on a shelf or in folder, ready for a random inspection, will not cut it. Neither will a generic 'POPI Manual' or policy that you buy from a service provider. If you want to achieve actual compliance that will withstand court challenges, prosecutions, complaints and regulatory investigations, it will require a great deal more.
While we are all too aware that POPIA may be the last thing on people's minds when they are struggling with sheer survival in the midst of the Covid-19 environment, we do believe that there is room for awareness and education on the topic, and a slow 'easing in' for organisations and individuals to become familiar with a POPIA-compliant landscape.
Most of the remaining provisions of the Protection of Personal Information Act have come into operation on 1 July 2020.
That means that the start of the anticipated 12 month transition period is 1 July 2020 and that the effective date for enforcement (the date by which organisations must be compliant) will be 30 June 2021. Although there will be no sanctions for non-compliance until that time, organisations must work towards compliance as soon as possible - and there is a lot to do.
It is expected that there will be further communications covering practical implications such as the registering of Information Officers.
POPIA applies to all local and foreign organisations processing personal information in South Africa. The Act will impact on technology, policies, procedures and compliance frameworks across the business - including in ICT, HR and marketing.
What is POPIA?
POPIA is the South African version of the European...