In any situation, insufficient knowledge can lead to over -reactions and people suspecting the worst. This has been the case with POPI, says Elizabeth de Stadler of Novation Consulting.
Addressing compliance officers at the recent Compli-Serve SA POPI seminars around the country, she states that, in fact, POPI prohibits hardly anything and businesses should “beware of oversimplified, alarmist views; what you do now you will still be able to do, with only a few adjustments to how you, for instance, interact with customers.”
While the Act was promulgated in November last year, an effective date has yet to be set, nor have the accompanying draft regulations been finalised. Also, from the effective date, businesses will have a grace period of somewhere between one to three years. POPI will, however, apply to the personal information companies have now.
Don’t Forget Those Dumpster Divers
According to de Stadler, the majority of privacy breaches are the result of identity theft. Perpetrators are not above ‘dumpster’ diving for pieces of paper with bits of identify information. “We tend to think about online hackers these days, but hard copies are still the biggest risk.”
“Personal information is not necessarily private information, so read the definitions carefully,” says de Stadler. “Just because a piece of information is freely available does not mean you can do what you want with it.”
POPI attempts to balance the right to privacy and the protection of personal information with other rights, such as the right to access to information. It aims to protect the free flow of information both within South Africa and across its borders and applies to ‘responsible parties’ domiciled in SA and regulates the sending of information outside of SA for processing.
“Globalisation is an ongoing challenge for law-makers: information is everywhere and does not respect national boundaries,” says James George, a compliance manager at Compli-Serve.
POPI is about how businesses collect process and distribute personal information over the entire life cycle of the relationship with a customer. It applies to all staff members and juristic persons. ‘Processing’ means “any operation or activity or any set of operations whether or not by automatic means” and includes a wide range of examples.
The definition of ‘personal information’ is also broad and includes things such as biometric information, personal correspondence and personal views or opinions. “If a client is likely to be surprised about how you’ve used their personal information, think carefully before going ahead,” said George.
In plain English, POPI requires businesses to:
- Know what data they have and why they have it
- Be transparent about how they use data
- Have the right consents from customers
- Ensure their data is secure; and
- Get rid of data when it is no longer needed.
“If you’re purchasing information from a data company, it’s your responsibility to ensure your supplier is POPI compliant,” George says.
“You generally don’t need consent to process information unless you’re doing something very strange or surprising, so try not over burden your customers; proper notification will often avoid the need for consent,” de Stadler said. However, in the case of direct marketing consent is required..
What should you do now?
Get a project team together and think about what data you have and what you do with it. Be careful of high level audits that can miss important aspects of your data processes and will usually tell you what you already know.
Definitely get rid of any data you don’t need as, if it’s still in your possession when the Act comes into effect, POPI will apply.
Related: PoPI: This Changes Everything