Protection Of Personal Information (POPI)

Acumen Holdings, Anthony Sterne

POPI – The Protection of Personal Information Act is crucial for doing business.Not only because it could result in fines, is criminal sanctions and even imprisonment; but more importantly confidence of the public and your clients essential in the digital age.

POPI is the piece of legislation that seeks to give effect to the right of privacy as guaranteed by the Constitution. It is not a draconian piece of legislation that seeks to restrict or prohibit the free flow of information, but rather to endorse the responsible and secure manner in which this free flow is controlled. The right of a business to gather information is balanced against the right of the individual’s privacy.

POPI applies to a process more than to a person or organisation. That process is the one of gathering data; if you gather data then you must comply with POPI. POPI has established certain data principles that define and underscore the data processes.

Those principles are applicable to both the gathering and the holding of data. It is important that every organisation understands at minimum the following about POPI compliance:

• the legitimate grounds for collecting and using personal data collected in order to ensure that data is not used in ways that have unjustified adverse effects on the individuals concerned;

• the lawful purpose for which data are being collected to ensure that the data shall not be further processed in any manner that is contrary to that purpose or the purposes for which the data were collected;

• the extent of information that is required for the purpose as intended and to ensure that they collect adequate and relevant information and prevent any excessive information collection;

• the information retention periods and requirements applicable together with destruction processes and procedures;

• the rights of individuals, i.e. data subjects, in terms of POPI;

• security measures required to prevent the unauthorised or unlawful processing of personal data or access to personal data, including accidental loss or destruction or damage to personal data;

• when it becomes necessary to transfer data outside the country, to understand the roles, duties and responsibilities of all parties involved; and

• what processes and procedures should be in place to ensure that data is kept up to date and current and accurate at all times. Each company needs to audit their existing processes and systems, identify the shortfalls, and then develop a proactive plan to seek to correct or improve those processes.