All your POPIA questions answered.
To whom does POPIA apply?
Any public or private body, or any other person which, alone or in conjunction with others, determines the purpose of, and means for, processing personal information (responsible party).
Any person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of the responsible party (operator).
There are very few businesses in South Africa that will not be impacted by POPIA.
POPIA current status:
- POPIA in effect since 11 April 2014;
- Only sections 39-54 & 112-113 pertaining to the regulator were effective 30 June 2020;
- 1 July 2020 balance of the sections promulgated;
- Organisations only have until 30 June 2021 to ensure compliance;
- First piece of Comprehensive Legislation in South Africa; and
- Based on UK Data Protection Act 1998.
- EU GDPR to be effective on 25 May 2018.
What is the purpose of POPIA?
- Promote: The protection of personal information processed by public and private bodies;
- Regulate: The manner in which personal information is processed by establishing conditions in line with international standards;
- Provide rights: To data subjects to protect their personal information; Establish measures: voluntary or compulsory including the establishment of an information regulator.
The scope of personal information is extremely broad and includes any information that can identify a person including but not limited to:
- Biometrics – Biometric information blood type etc.
- History – Employment, financial, educational, criminal, medical history.
- Contact details – Email, telephone, address, etc.
- Demographics – Age, sex, race, birth date, ethnicity etc.
- Correspondence – Private correspondence.
- Opinions – Opinions of and about the person.
Why should I comply with POPIA?
- Reduce risk of data breaches.
- Improve the overall reliability of your databases.
- Increase customers confidence in your organisation
Consequences of non-compliance with POPIA - fine not exceeding R10 million by the Regulator; and imprisonment not exceeding 10 years.