What you need to know about the POPI Act

by | Jul 22, 2019 | Tutorials | 0 comments

If you watch the news, listen to the radio, or browse the internet, then the term POPI (Or the POPI Act) will probably have come up in conversation. However, it’s usually followed by a stream of complicated words and legal jargon. This tends to leave a person more confused than before though.

So what IS the POPI act, and how will it affect SME’s in South Africa? This article is here to tell you all about it.

The Basics of the POPI Act

So what does POPI stand for?  P.O.P.I stands for the “Protection of Personal Information” Act (which is where the “A” in POPIA comes from).  This law is for to companies and individuals who process their customers’ (or other people’s) personal information.

In layman’s terms, this refers to everything from contact details, to medical and financial history, age, sex, race, ethnicity, email accounts, phone messages, and the list goes on. Basically, if it’s private information that belongs to a person, it’s covered (and protected) by the POPI act.

Does this mean that we’re not allowed to have our friends and family’s phone numbers stored on our phones?  No, nothing that drastic. You can think of the POPI act more like a school ground supervisor, than a policeman.  It’s not saying you’re not allowed to collect and process personal information.  It’s merely adding rules that limit what you’re allowed to do with that information. This is done to protect the privacy of all individuals involved.

Why is POPI needed?

Since the advent of the internet, information has become increasingly easier and easier to find.  A few clicks on facebook or LinkedIn and you can know pretty much anything about anyone. However, that’s all the information that they publicly released themselves.  What happens when information about their medical or financial history is released without their knowledge?  That’s why the POPI Act was put in place. To protect the more sensitive information of a person.  This information could be anything typed in when registering for a new bond, buying something online, or filling in an online survey.

What does this mean for companies?

Well, this is a rather broad question, as the POPI act pertains to a wide range of industries and information types. That being said, some of the main POPI act restrictions are as follows:

The information must be relevant to the business
This means that a company that only needs your contact details (such as a marketing company for example), may not request medical history or bank statements

Security measures are required
Companies that collect information are required to have security measures in place to protect that information.

Expiry dates on information
Companies are only allowed to hold onto information for as long as they need it.

Data must be available for the customer
Any customer who has provided information to the company has the right to request it from the company, and they are obligated to provide it.

These are just some of the few areas protected by the POPI act, and they show why it is needed.  It acts as a safety net for personal data, as well as protection for companies who process personal data.

The GDPR: Europe’s POPI

However, there are more benefits to be had here than just the protection of South African data.  Having the POPI Act in place opens doors to online business with the EU companies.  You see, in Europe, they have stricter and more stringent data protection laws.  Having the POPI Act in place means that EU companies will be more likely to conduct business with South African SME’s, as they will be able to trust us with more sensitive information.   This will open a lot of doors for IT-based South African businesses, as long as they are POPI-compliant.

How do I become POPIA Compliant?

There are many companies that offer POPI training for employees, as well as POPI assessments and solutions.

This can be anything from them sending someone to assess your company and write up a report regarding your POPI security, to sending a consultant to do the above and then fix all of the problems.  Many companies often employ a DPO (Data Protection Officer).  He or she oversees the general POPI security levels of the company on a day-to-day basis.   Additionally, you can hire a company to instal safeguards in your server to protect your company from outside threats.

If you’re wanting to know more about the POPI act, you can go to http://www.justice.gov.za/legislation/acts/2013-004.pdf to read the full POPI Act for yourself.