This legislation, among other things, promotes the protection of personal information processed by public and private bodies, introduces minimum requirements for the processing of personal information, outlines the rights of data subjects, regulates the cross-border flow of personal information, introduces mandatory obligations to report and notify data breach incidents, and imposes statutory penalties for violations of the law. If yours is a business that collects and processes personal information of South Africans, you have just a few more weeks, until 30 June this year, to ensure that you are compliant with POPIA.
Compliance check
Can you answer yes to the following questions?
Have you met the eight conditions for processing personal information? There are eight conditions for the lawful processing of personal information according to POPIA and your business should now have ensured that it can meet all of these eight conditions.
The information officer
The Information Regulator has published a guidance note in respect of the appointment of information officers and deputy information officers. Although POPIA does not require that an information officer must be a local person, the guidance note provides that to ensure accessibility, the information officer of a multinational entity based outside the Republic must authorize any person within the Republic of South Africa as an information officer.
POPIA also provides for the appointment of deputy information officers. Concerning the appointment of deputy information officers, the guidance note states that the information officer of a multinational entity based outside the Republic must designate any person within the Republic of South Africa as a deputy information officer. A person designated as a deputy information officer should be afforded sufficient time, adequate resources and the financial means to devote to matters concerning POPIA and the Promotion of Access to Information Act, 2000 (PAIA). In addition, the guidance note provides that an information officer or a deputy information officer should report to the highest management office within the private body. This means that only an employee at the level of management and above should ideally be considered for designation as an information officer or as a deputy information officer of a body. A deputy information officer should be accessible to everyone, particularly to a data subject in respect of POPIA or a requester in terms of PAIA.
Deputy information officers are required to have a reasonable understanding of POPIA and of the business operations and processes of the private body. In addition, only employees of a South African company can be appointed as a deputy information officer. In this regard, the guidance note specifically provides that a deputy information officer must be based in South Africa. Depending on the circumstances, any obligation or liability incurred as a result of any delegation of any powers, duties and responsibilities to a deputy information officer will be imposed on either the information officer or responsible party in so far as POPIA is concerned.
To ensure a level of accountability by a delegated deputy information officer, private bodies are encouraged to ensure that such duties and responsibilities or any power delegated to a deputy information officer is part of their job description. The person authorizing any person as the information officer of a juristic person retains the accountability and responsibility for any power or the functions authorized to that person. The information officer may be any one of the following: (i) the chief executive officer (CEO); (ii) the managing director (MD); (iii) an equivalent officer to the CEO or MD; or (iv) anyone duly authorized by that officer. The information officer must be registered with the Information Regulator to perform the duties and responsibilities set out in POPIA.
The person authorizing any person as the information officer of a juristic person retains the accountability and responsibility for any power or the functions authorized to that person. The names and contact details of a company’s information officer and deputy information officer will be made available on the Information Regulator’s website.
The Manual A manual in terms of section 51 of PAIA is also required. The manual must be lodged with the Information Regulator and it must be made available on the company’s website.
Direct Marketing POPI requires an “opt-in” system for direct marketing. From July 2021, businesses will be prohibited from approaching consumers, for direct marketing, unless:
Consent Your business may approach a data subject only once to request the data subject’s consent:
Your business may process the personal information of a data subject who is a customer of the business:
Breach Notification Under POPIA
If your business experiences a data breach, it must notify the Information Regulator and the data subject, where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorized person. This notification must be made as soon as reasonably possible after the discovery of the compromise and you can only delay the data subject notification if certain exceptions apply.
Businesses must report every breach, regardless of whether it caused potential significant harm In terms of the obligations of business operators, any person who processes personal information on behalf of another business (i.e., the responsible party), in terms of a contract or mandate, must notify that business immediately where there are reasonable grounds to believe that personal information has been accessed or acquired by any unauthorized person.