POPIA gives the Information Regulator significant enforcement powers including: conducting audits, issuing compliance notices, imposing large administrative fines, pursuing criminal prosecution, taking civil action in courts, banning non-compliant processing activities, and publicising enforcement actions. Consequences can include punishment under the law, damages, and reputational harm.
POPIA gives the Information Regulator powers to:
Non-compliance with POPIA can lead to: Regulatory fines of up to R10 million.
To develop a POPIA compliance program, companies should: get executive support, appoint dedicated compliance leads, do a privacy maturity assessment, establish a governance committee, map personal information flows to understand processing activities, enhance the incident response plan, review and update policies and notices, train staff, implement additional safeguards where needed, establish monitoring mechanisms, develop guidelines for impact assessments, have procedures to keep the program up to date, consider regulator certification and maintain records demonstrating implementation.
To develop and implement an effective POPIA compliance programme, companies should:
To conduct privacy impact assessments, companies should: identify the need for an assessment, determine the scope, describe the personal information and sensitivities involved, identify risks and gaps in controls, assess risks and impacts against POPIA’s requirements, consult stakeholders, develop recommendations to address risks, create implementation plans, do periodic reviews and updates, provide oversight and approval, and keep records of assessments.
A risk assessment must be done for every processing activity and involve these steps:
For data breaches, companies must: notify regulators promptly about serious breaches, provide details of breaches to regulators, notify affected individuals directly in high-risk cases, give recommendations to mitigate harm for notified individuals, keep internal records of all breaches that occur, consider voluntarily reporting less-serious breaches to build trust, review when regulators and individuals should be notified based on severity and risks, look for signs that encrypted information may have been accessed and report such cases to regulators, and notify regulators where needed for transparency.
POPIA requires that a company notifies
Take note that a company may delay notification under certain circumstances. Once it is ready to notify the regulator, it MUST use the form provided on the Information Regulator’s website.
For direct marketing, companies must: obtain explicit consent for marketing purposes, provide easy opt-out methods, register opt-outs to avoid contacting people again, only use information for purposes that match what consent was given for, be careful not to overstep with contact frequency, exercise caution when marketing to vulnerable groups, screen purchased marketing lists against opt-out registers, keep records demonstrating consent and opt-outs, stay up-to-date with laws like anti-spam legislation, only gather and keep information necessary for marketing activities and properly secure such information.
POPIA applies to direct electronic marketing activities and all the POPIA rules apply to the processing of personal information for the purpose of direct electronic marketing.
Explicit, voluntary and informed consent must be given, and companies have to ensure that:
Companies should avoid contacting people too frequently.
For retaining information, companies must: only keep personal information as long as necessary for the original purpose, define clear retention periods in policies, regularly review and update retention schedules, get consent for retaining information indefinitely, have secure procedures in place to delete information that’s no longer needed, keep records of information destruction, consider placing time limits on consent and see if information can be anonymized for longer retention.
A company should consider the following for data retention:
A company should consider the following for data destruciton:
Data protection officers and compliance leads must: advise the business on privacy compliance, monitor compliance and conduct audits, handle people’s requests to access or correct their personal information, act as a contact point for regulators, help train staff, review the privacy impacts of new initiatives, deal with complaints and data breaches, investigate issues and recommend solutions, and stay up-to-date with regulations, risks and best practices.
To properly handle access requests, companies should: designate a contact point for requests, verify individuals’ identities before providing any information, respond within 30 days where possible or communicate timelines for more complex requests, provide information in a format that’s easy to understand, only charge fees for excessive requests, grant requests unless there are lawful grounds for refusal, log and document all requests received, balance access rights with confidentiality by redacting sensitive information where needed, seek guidance for tricky requests and provide the specific access rights afforded to individuals under POPIA.
To transfer personal information overseas, companies must ensure there are similar privacy safeguards in place for the destination countries or put binding agreements in place, obtain explicit consent from the people involved for transferring their information abroad, only transfer information for the purpose stated when obtaining consent and keep records of all cross-border data transfers.
Extra rules apply for transferring sensitive information and children’s personal information across borders.
POPIA only allows for the transfer of personal information outside of South Africa if the other country has adequate legal protection for personal information, or there are binding corporate rules or a binding agreement that provides the right protection.
It can also be transferred if the data subject consents to the transfer, or the transfer is necessary to fulfil a contract.
To get proper consent, companies must: clearly explain why the information is needed and what it will be used for, inform people of their rights under POPIA, get an obvious confirmation that consent is given through a positive action like ticking a box, allow people to withdraw consent at any time, keep records to prove consent was given, get explicit consent for collecting and using sensitive information and get fresh consent if the purpose for using someone’s information changes significantly.
Consent must be clearly stated, voluntary, specific and informed. It means that requests for consent must be in plain language, the person must understand what they are giving consent to, and the consent must be actively given (such as ticking a box).
[Keep in mind that companies should allow people to withdraw their consent at any time, and that fresh consent must be obtained if the purpose of the collection of personal information has changed.(maybe remove, over info?)]
Unlawfully accessing or disclosing someone’s personal information can lead to: legal penalties, lawsuits, criminal charges, business disruptions, damage to reputation, loss of trade secrets and intellectual property. The consequences depend on how sensitive the information is, how many people are affected and whether it was due to negligence or deliberate wrongdoing.
If the rules of POPIA are not followed, companies may face:
Companies must: appoint dedicated compliance leads, obtain proper consent from customers when required, have valid and lawful reasons for collecting and using personal information, gather information directly from the people concerned where possible, only retain personal information as long as necessary for the original purpose, keep personal information secure, allow people access to their information and enable corrections upon request, properly train staff, conduct impact assessments for high-risk information processing activities, report serious data breaches to regulators and maintain records to demonstrate compliance with POPIA.
Under POPIA, individuals have rights to be notified about the collection of their personal information, ask for access to and corrections of their data, object to processing and direct marketing, make complaints to regulators, and be notified about serious data breaches. Companies must enable individuals to exercise their rights.
Under POPIA, individuals have the right to
Companies must not prevent individuals from exercising their rights.
To protect personal information, companies should classify data sensitivity, encrypt sensitive data, control access, train employees, audit controls, install security tools like firewalls and anti-malware, set strong password policies, back up data, monitor systems, develop incident plans, and stay up-to-date with threats and best practices.
Companies should take reasonable technical and organisational steps to secure personal information. Companies should:
To comply with POPIA, companies should: appoint dedicated compliance leads, figure out how information flows through the business, review policies, get proper consent from customers, have valid reasons for using people’s information, put good security controls in place, give people access to their information upon request, only keep information as long as necessary, properly train staff, regularly check compliance and do comprehensive impact assessments for high-risk information processing activities. Following POPIA is an ongoing responsibility and requires real commitment to privacy governance.
Companies can ensure compliance with POPIA by following these steps:
Remember that compliance is an ongoing responsibility and requires a commitment to good privacy governance.
Not complying with POPIA can have serious consequences like:
Not complying with POPIA can have serious consequences for guilty parties, such as:
POPIA uses a broad definition of personal information. It refers to any information that can be used to identify someone alive or an existing group. This includes things like: names, contact details, ID numbers, email addresses, biometric data, IP addresses, and even guesses made from other information.
Extra sensitive personal information like religious beliefs, race, political views also gets special protection under POPIA.
Personal information refers to any information that can be used to identify a living person or an existing business. This includes things like: names, contact details, ID numbers, email addresses, biometric data, IP addresses, and even deductions made from other information.
Extra sensitive personal information, called special personal information, gets special protection under POPIA. Examples include religious beliefs, race, and political views.
POPIA has eight core rules: responsibility, limiting how info is used, specifying why it’s used, limiting further use, high-quality info, openness, security, and involving people the info is about. Companies must follow these and meet needs like: getting consent, having lawful reasons to use the info, only gathering necessary info, securing info, giving people access to their info, etc.
POPIA has these eight core rules: Accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.
These rules govern things like getting consent, gathering and using personal information, securing personal information, and giving people access to their personal information – and much more.
The Protection of Personal Information Act or POPIA is South Africa’s data privacy law. It sets the rules for how companies gather, use, and share people’s private information. POPIA aims to protect folks’ right to privacy and build trust in the digital world.
For businesses in South Africa, following POPIA is key. It helps avoid getting fined, keeps customers’ trust, and gives companies a competitive edge.
The Protection of Personal Information Act, or POPIA, is South Africa’s data privacy law. It sets the rules for how companies gather, use, and share people’s personal information. POPIA protects the right to privacy and builds trust in the digital world.
Companies in South Africa must comply with POPIA. Compliance means that companies keep their customers’ trust, it gives them a competitive edge, and helps them to avoid fines.
We offer bespoke pricing for all clients. We offer bulk ‘slot’ packages, where companies can purchase a bundle of slots upfront to distribute across our training programmes over a 12-month period.
The more slots purchased, the larger the discount. This allows organisations to train as many employees as needed on essential compliance and skills development topics at a competitive rate.
Contact us for a free consultation and custom pricing proposal based on your organisation’s requirements.
POPIA establishes guidelines for processing personal information. This programme offers an overview of the rules your employees must follow. On completion, trainees will understand:
* The relevance of POPIA and who must comply
* The definition of “personal information”
* When information is “processed” under POPIA
* The rules for properly processing information
* Practical steps to ensure POPIA compliance
* Consequences of non-compliance
POPIA sets conditions for processing personal information. This programme explains POPIA’s rationale and aims. With POPIA now law, train your employees on proper processing of personal information.
Given POPIA covers employee and client information, breaches can impact your business. This programme demystifies “personal information” and explains when/how employees must comply
Pharma Event: What part are you playing in the illegal supply of medicines?
/in Pharmacovigilance/by Nino HaasbroekCompetition law compliance programme: mitigating factor or wasted expenditure?
/in Competition Law, Featured Resources/by Marylla GovenderThe recent amendments to South African competition legislation lead to a sharp increase in the number of organisations requesting training for their employees on competition law. We are often asked if the investment in a competition law compliance programme is worth the time and money spent.
Sadly, in our experience, most organisations implement a competition law compliance programme for one of two reasons: 1) they have committed to doing so as part of a consent order signed with the authorities after contravening the law; and/or 2) they operate in a sector that has been identified by the authorities as one to “monitor” and their lawyers have recommended that they take precautionary steps. Few organisations seem to view the pro-active implementation of a competition law compliance programme as a non-negotiable part of good governance.
Read moreEmployee policies: Help your employees play well with others
/in Policy Passport/by Novation ConsultingWe often joke that when we start working on a specific kind of document for one client, several other want the same thing at the same time. It’s a strange, but happy coincidence that we’ve seen with financial services, insurance policies, privacy notices and now employee policies. But why are they suddenly all the rage?
If you’re a start-up and you’ve just started hiring employees, the list of policies you need could be very daunting. Some companies ignore the policy writing process completely, hoping for the best. Others download general templates and try to massage them to suit their company’s needs. Obviously, neither are ideal, so here are our insider tips for stress free policies. Since this is what we’re working on right now. Read more
SA’s largest data breach & how you can protect your data
/in Protection of Personal Information Act/by Compliance OnlineIt turns out SA’s largest recorded data breach was traced to a Web server registered to a real estate company based in Pretoria, Jigsaw Holdings. They are a holding company for several real estate franchises including Realty1, ERA and Aida. Apparently, this website had exceptionally lax security and contained a database of 75 million records, including the records of 60 million SA citizens.
It seems that hacking wasn’t required to get access to these records as the information was easily accessible on an open Web server. The same credentials were used everywhere and allowed full administrator access across all the databases on the server. All personal data was contained in a single database in clear text. It indicates an overall lack of even the most basic security awareness.
Jigsaw Holdings missed the mark on so many levels, information governance and security was never considered. Read more
Competition Commission releases Draft Guidelines on Information Exchange between Competitors
/in Competition Law/by Marylla GovenderInformation is integral to making informed decisions. When conducting business, obtaining information on the market in which one competes is important to the success of a well-functioning firm. However, when competitors share information a line can be crossed and therefore caution is required due to the risk that it may result in anti-competitive outcomes.
In line with the approach followed by other international jurisdictions, the Competition Commission has recently released draft Guidelines for comment relating to information sharing between competitors. Read more
Financial Intelligence for your Business
/in Financial Intelligence Centre Act/by Eunice van ZylThe Financial Intelligence Centre Amendment Act, 1 of 2017 (“the Amendment Act”) was signed into law by the President and published on 2 May 2017. Some of its provisions came into effect on 13 June 2017 while the majority of the remaining provisions will come into effect on 2 October 2017.
Why was it necessary to amend the Financial Intelligence Centre Act (“FICA”)?
South Africa is a member of the Financial Action Task Force (“FATF”), an international body that develops and promotes measures to combat money laundering, terrorist financing and other threats to the integrity of the international financial system. Read more
Compliance Online selected as a National Gazelle
/in Compliance Insights, Featured Resources/by Compliance OnlineWe are proud to announce that Compliance Online has been selected as a member of the leading SME development programme, The National Gazelles, for 2017.
The National Gazelles is a flagship programme of the Small Enterprise Development Agency (Seda) and the Department of Small Business Development. The programme supports the development of a new generation of successful businesses.
Compliance Online was selected after a rigorous four-stage process to participate in this programme, which identifies enterprises countrywide that demonstrate a proven success record combined with further growth potential. Read more
Act competitively: A Practical Guide to the South African Competition Act
/in Competition Law/by Compliance OnlineEconomic uncertainty appears to be the order of the day, especially on home soil, and the contest between businesses to gain market share remains challenging. We are all impacted in some way or another by this race for economic power and prosperity.
How then is it possible to strive towards a free market where businesses have equal opportunities, economic efficiency is achieved, consumers are protected and ultimately economic growth is stimulated?
The answer, in short, is a robust competition policy, which is underpinned at its foundation by sound economic policies. Read more
Follow-on damages – the new kid on the block for competition law non-compliance?
/in Competition Law, Featured Resources/by Marylla GovenderRead more
Compliance Online directors launch the much-awaited 2nd edition of “A Practical Guide to the South African Competition Act”
/in Competition Law/by Compliance OnlineThis prestigious event that marked the launch of the second edition of the book, A Practical Guide to the South African Competition Act, was held at the offices of the law firm, Webber Wentzel on the evening of 5 April 2017.
The keynote speaker of the evening was the honourable Judge President Dennis Davis and he held the distinguished audience captive with his presentation on “The rapid evolution of competition law in South Africa – navigating the precarious road ahead”.
The guests of honour included the editorial team and authors, Minette Smit (née Neuhoff), Marylla Govender, Martin Versfeld and Daryl Dingley. Minette and Marylla are both directors of Compliance Online and their in-depth knowledge of the competition legislation in South Africa has contributed to the success of the online training solutions they offer to private and public entities on this subject.
Read more about why this book will be appreciated by business people, legal practitioners, economists and academics alike in the article below.
“A Practical Guide to the South African Competition Act” is available from the Lexis Nexis online store.