We are still receiving a number of calls from our members who are struggling to practically implement the POPI Act within their businesses.
We have therefore put together a simplified practical guide with templates to hopefully assist you in becoming POPI Act compliant. Unfortunately, it is not a case of one size fits all, each business is different. When you make use of the guide and the templates, it must please be fully read in conjunction with all the provisions of the Act and Regulations and applied to how it relates to your businesses’ criteria, in order to protect your business and to ensure that it complies fully with the POPI Act and Regulations and to avoid prosecution.
The below will hopefully just assist you in the process of navigating towards the task of becoming POPI Act compliant. Peter Cumberlege, Legislative Consultant to FEDHASA has prepared the guide and
templates with all of above in mind.
Introduction
The Protection of Personal Information legislation [POPIA] will affect businesses in varying ways – unfortunately it is not a case of one size fits all.
As a result of the legislation being lengthy and fairly complex many requests have been received asking for a more simplified and understandable version. The guideline and templates below have been compiled with this in mind however it must be stressed that if you choose to make use of this document and in order to protect your business and ensure legal implementation and compliance, the guide must be read in conjunction with all of the provisions of the Act and Regulations.
This guide does not cover all of the legal requirements as set out in the Act and Regulations. There are no shortcuts when it comes to protecting your business against prosecution.
To view the Act and Regulations – click here
Broad guide to implementing the requirements of the Protection of personal Information Act
- Read through the definition of “Personal Information” click here and “Processing” click here in order to familiarise yourself with the scope of the data defined as personal information and what the processing of this information entails. For an outline of the personal information you are likely to be processing click here
- Read through the summarised version of section 3 click here and the summarised version of section 4 click here which outlines the application, interpretation, prohibitions and lawful processing of personal information.
- Read through the summarised version of Chapter 3 click here which expands on the seven conditions under which personal data may be collected and processed and provides an outline in layman’s language (where possible) of all of these conditions.
- Commence an audit by listing all of the personal information you currently process and have on record. Consider recording the specific data under these suggested headings click here and then categorise the information under each of the headings into three further sub-divisions – a statutory requirement (required by law); an operational necessity (an example would be account payment information) and marketing, promotional and other information.
- Go through the statutory and operational necessity categories and ensure that the information recorded and retained is exactly as required and that the information is adequate, relevant and not excessive. Check the validity of all of the information you have on record in terms of “consent, justification and objection” click here. You may retain the personal information required by law for the period required by that particular enactment and you may retain information that is of an operational necessity for the period that it is reasonably required
- Take a look at the personal information you keep on record for marketing, promotional and or other purposes. If you have such information apply the “consent, justification and objection” criteria as mentioned above click here and in addition read through the provisions dealing with direct marketing click here. To retain this information and to continue to forward marketing material of various communiques you will need to obtain the data subject’s permission.
- When going about obtaining the data subjects consent (when necessary), many businesses send out a generic email to their clients/suppliers setting out the information they have on record and why and stating that if data subject no longer wants to receive marketing material of varies communiques they may request that they be removed from the data base and that their personal information be deleted/destroyed. For a sample template (clients/suppliers etc) click here. In addition, most businesses provide a link to a privacy policy set out on their website. What is a privacy policy and what does it contain? – click here
- The same principles that apply to your clients, apply to your employees. You need to notify them of the personal information you have on record and why. To view a suggested employee sample template click here
- Having sorted out the current personal information you have on record you will have a good idea as to what data you intend lawfully recording and retaining and how you intend securing it into the future. You will initially need to go through and probably amend all of your existing templates/forms/cards etc that are likely to be completed by or on behalf of guests / subscribers / members / employees in the future. With the likelihood of many changes taking place it would be an idea to set up a written policy for both you and your senior employees. What would such a policy include – click here
- In terms of the Act you will need to appoint an information officer who is required to carry out specific responsibilities. You are also required to register the information officer however the registration portal on the Information Regulators website is not functioning at present and currently states “Please note we are experiencing a high volume of registrations on the portal which is causing some delays and technical issues. Our technicians are working on it. We apologise for the inconvenience caused”. However keep a watch – https://www.justice.gov.za/inforeg/index.html. Click here for further guidance of the responsibilities of the information officer and deputy information officer and click here to view the guidance notes.
Please Note – The views expressed and content contained in this document and in all of the attached addendums are those of the writer and they do not represent the views of any other persons or organisation. The information may contain inaccuracies or typographical errors. Peter Cumberlege, FEDHASA and its advertisers and associated third parties disclaim all liability for any loss, damage, injury or expense of any nature whatsoever and howsoever caused, arising from the use of or reliance upon, in any manner, the information provided in this document and the addendums. Such damages and or losses shall include, but not be limited to direct, indirect, special or consequential damages. Peter Cumberlege and or FEDHASA do not warrant the accuracy, veracity or completeness of the information provided. FEDHASA – July 2021