What does POPI compliance mean?

By Jan du Toit

Latest developments – Registration of Information Officers:

On 17 May 2021 the Information Regulator’s long awaited online portal went live for the registration of Information and Deputy Information Officers.

The Information Officer of a Responsible Party is the person at the head of your company (CEO or MD) or any person acting in such capacity, or specifically appointed by the MD or CEO to be the Information Officer. Registration must be completed before the end for June 2021.

The address for the portal is  https://justice.gov.za/inforeg/portal.html   

The following information is required to successfully register: 

• Company name.

• Company registration number.

• Company type.

• Company physical and postal addresses.

• Company telephone and fax numbers.

• Information Officer gender, nationality, full name and surname, ID or passport number.

• Deputy Information Officers same details as per above.

POPIA Compliance – what must be done?

With a little more than a month left before POPI becomes fully effective, many employers may find themselves out of time to become fully compliant to amongst other considerations, the 8 processing conditions prescribed in the Protection of Personal Information Act.

To be considered compliant the following must be considered and applied in the business of a Responsible Party before 1 July 2021. 

1. POPI training / awareness sessions for the CEO / MD, managers and others tasked with the company’s POPI compliance project. Have a look on our website for the next POPIA training dates.

2. Compliance audit to be conducted company-wide per department / division to determine the current processing practices within the organization and to establish what needs to be done to be compliant.

3. Correction of contraventions as identified, and to introduce reasonable technical and organizational measures to prevent the loss or unauthorized access of Personal Information.

4. Introduction of Data Subject rights and consent in the business through policies and consent clauses / paragraphs / contracts.

5. The introduction of a PAIA manual (Promotion of Access to Information Act) that incorporates data subject rights and participation in terms of POPIA. This manual must be published on one of the company’s websites. It is also important to note that the current exemption granted by the Minister of Justice for some business to not have such a manual in place currently, expires at the end of June 2021.

6. General staff POPI policy and legislation awareness training.

7. Registration of the company’s Information Officer (the CEO, MD or any person acting in such position).

8. Follow-up assessment on compliance measures and adherence thereto.

It is important to note that no institution, not even the Information Regulator, can “accredit” any Responsible Party in South Africa to be compliant in terms of legislation. Compliance (or otherwise) will only be determined should an investigation be launched by the Information Regulator following a complaint. Should such an investigation confirm a lack of compliance, consequences such an administrative fine not exceeding R10m may follow (which one may luckily pay off in instalments). Further to this those whose rights are infringed upon by a Responsible Party not adhering to the requirements of POPIA, may also institute civil proceedings. Such  proceedings may result in compensation being awarded for loss, as well as aggravated damages determined at the discretion of the court.

In terms of section 19 of the Act, the Responsible Party (business owner / employer) is required to introduce reasonable organizational and technical measures to secure the integrity and confidentiality of Personal Information. The organizational measures referred  to above includes inter alia both internal and external policies to introduce the principle of protection of personal information in the workplace, as well as the rights of data subjects.