South Africa’s comprehensive Protection of Personal Information (POPI) Act is now in effect. It is one of the world’s most sweeping regulations around personal information and carries hefty fines for businesses that break the law. In short, the POPI Act outlines how businesses, websites and government departments can process the personal information of their customers or citizens.
While the POPI Act does not require companies to get consent from customers to process their private details, they do need to comply with the 11 strict conditions detailed in the legislation. This Act was initially passed in 2013 but South Africa had until 1 July 2021 to fully comply with the new laws.
The POPI Act is important because it protects the personal information of citizens from theft, discrimination or misuse. This information includes names, nationalities, ages, bank account numbers and health statuses. While this Act has posed many obstacles for businesses in financial services, healthcare, marketing and information technology, it does mean that the people of South Africa are less likely to fall victim to identity theft, data hacks and scammers.
What does the POPI Act mean for internet users?
Internet users routinely enter personal information into social media sites, e-commerce stores and official websites. Many people may have Googled their own names and been surprised at how much information is stored in the results pages. The POPI Act now allows internet users to request the removal, correction or destruction of personal information from search engines and websites.
They are allowed to do so if the information is inaccurate, irrelevant, out of date, incomplete, misleading or if it has been obtained unlawfully. Businesses, websites and online stores are held accountable for this information and must act on any request by a citizen if it falls in line with the legislation. This is a massive improvement for privacy and control over one’s personal data.
POPI Act for businesses
All businesses must now comply with the POPI Act and ensure that their customers’ personal information is protected from theft, unauthorised access, interference, modification, destruction and disclosure to third parties. Chapter 3 of the Act prescribes the eight conditions (and three additional conditions) that a company or website must meet when processing personal data. Some of the most noteworthy points are outlined below:
- Personal information must be processed lawfully and reasonably in such a way that it does not infringe on privacy.
- Data must be processed for a specific purpose. In addition, it must be adequate, relevant and not excessive to the purpose for which it is processed.
- The company or website must obtain personal information directly from the customer or user, not from a family member or third party.
This Act obviously holds significant implications for businesses that deal with private information, such as banks, insurance companies, healthcare, schools and online stores. Failure to comply with the laws can result in hefty penalties; fines up to R10-million and/or up to 10 years in jail. This is why it is vital for companies to be aware of the Act and ensure that they follow the regulations properly.