It’s the Final Countdown…
The Protection of Personal Information Act, 4 of 2013 (“POPIA” or “the Act”) requires that responsible parties keep plans and processes in place on how they process, store, and share personal information.
Responsible parties are required to respect their clients’ right to privacy and endeavour to collect and use information minimally, transparently, and for the purpose for which it was collected.
In our earlier article, we discussed how employers could benefit from compliance. However, we did not elaborate on the costs of non-compliance nor discuss the practical solutions to the compliance conundrum that most small business owners face. With the effective date of POPIA looming…the questions that we ask today are: should you comply and if so, how can ARMS simplify compliance for you?
Who is the responsible party?
A responsible party is a person or entity which decides how personal information is processed and what it is used for.
A responsible party can be:
- a natural person.;
- a juristic person (e.g. a company); or
- a group of companies if they make joint decisions regarding the processing and use of personal information.
As an employer, you will process and store the personal information of your employees, clients, suppliers etc.
Will POPIA apply to you?
The scope of POPIA is extensive. According to section 1 of POPIA, the Act will apply if the responsible party[1]See the above definition and refer to section 1 of POPIA. has a registered place of business in South Africa (even if their headquarters are offshore) and it is processing[2]Anything that is done with personal information (such as collecting, updating, transmitting and deleting personal information). The “storing” of personal information also constitutes processing … Continue reading personal information[3]Information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person. A responsible party’s customers, employees, suppliers all have … Continue reading and entering it into a record[4]Recorded information regardless of the form or medium. Examples include writing on any material (eg application forms); information produced, recorded or stored on tape recordings, computer (regardless of whether it is stored electronically or in a hard copy filing system).
What are the duties of the responsible party?
The overall responsibility for the processing of personal information lies with the responsible parties. They have control over the “why”, “when” and “how” of a data processing activity. The responsible party must comply with the conditions set out in Chapter 3 of POPIA, and all the measures giving effect to the conditions. These eight conditions include:
- promoting accountability;
- ensuring processing limitation of personal information as well as further processing limitation where necessary to do so;
- ensuring purpose specification;
- maintaining information quality;
- maintaining openness;
- putting in place security safeguards; and
- promoting data subject participation.
When should the responsible party start complying?
According to section 8 of POPIA, the measures set out in POPIA should be given effect to the moment when the responsible party is determining the purpose and means of the processing information and during the processing itself.
Are you ready?
The question for most employers caught up in the day to day duties of running their businesses is; are you ready for the commencement of POPIA on 1 July 2021? With less than a month to go before the commencement of this Act, do you know what is required of you to comply with POPIA?
If you are not ready, what may be the result?
A failure to comply with the Act may result in various sanctions. You could be charged with an offence in terms of the Act.
- A fine or imprisonment of a period not exceeding 10 years or both a fine and imprisonment (in terms of section 107(a) of POPIA) can be given for the following offences:
- Obstructing, hindering or unlawfully influencing the Regulator or a person acting on behalf of the Regulator.
- Failure to comply with an enforcement notice.
- Knowingly giving false information before the Regulator.
- Unlawfully processing account numbers.
- A fine or imprisonment for a period not exceeding 12 months or both a fine and imprisonment (in terms of section 107(b) of POPIA) can be given for lesser offences including breaching the duty of confidentiality of persons acting on behalf of the Regulator in respect of the personal information they obtain in the course and performance of their normal duties.
Avoid administrative fines
Even if you are not charged with an offense, the Information Regulator may fine you up to R10 million. The responsible party may elect to be tried in court for the alleged offence and will then be handed over to the SAPD.
Avoid civil action against you
A responsible party found guilty of non-compliance with POPIA can face action against them by the data subject or the Information Regulator acting on behalf of the data subject. As there is a strict liability on the part of the responsible party, it will not matter if the data breach was made in error.
Look out for our Compliance Solution Coming to you this Friday, June 4th, 2021.
ARMS: We Take the Pain Out of… POPIA
The consequences of non-compliance are severe. But the solution to compliance is simple. ARMS is preparing to launch a compliance manual and training programme to assist employers to comply with this new Act. If you are interested in this offering, please reply to the email we sent with the words “POPIA” in the subject line.
References
↑1 | See the above definition and refer to section 1 of POPIA. |
---|---|
↑2 | Anything that is done with personal information (such as collecting, updating, transmitting and deleting personal information). The “storing” of personal information also constitutes processing and, therefore, simply transferring information onto a hard drive constitutes the processing of personal information. |
↑3 | Information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person. A responsible party’s customers, employees, suppliers all have personal information which must be protected. Personal information includes information about gender, marital status, language, age; ID numbers, other identifying numbers (eg passport number, number given to customers by companies) etcetera. |
↑4 | Recorded information regardless of the form or medium. Examples include writing on any material (eg application forms); information produced, recorded or stored on tape recordings, computer |