Before the enactment of POPIA, members of the public were subject to unregulated collection, retention, dissemination and/or processing of personal information, as well as the unregulated use thereof, without accessible recourse. In an ever increasingly digital environment, Parliament, in its wisdom, saw fit to introduce legislation to protect individuals against the growing misuse of personal information.
POPIA is South Africa's first comprehensive privacy statute, otherwise known as South Africa's data protection law. It gives substance to the right to privacy contained in our Bill of Rights by creating a legal framework within which personal information can be processed in a manner that respects the right to privacy and enhances a regulated information economy.
The stated purpose of POPIA is
inter alia (a) to promote the protection of personal information processed by public and private bodies, (b) to introduce certain conditions so as to establish minimum requirements for the processing of personal information, and (c) to regulate the flow of personal information across the borders of South Africa. In practical terms, POPIA sets conditions for the lawful processing of personal information in order to protect the public from harm, to stop our money being stolen, to stop our identity being stolen, and generally to protect our privacy.
The Information Regulator has been constituted to monitor and enforce compliance by public and private bodies with the provisions of POPIA.
POPIA commenced on 1 July 2020 and gives parties a grace period of 12 months (until 30 June 2021) to comply with its provisions. POPIA's reach is wide and its commencement impacts every public and private body in South Africa.
Compliance with POPIA
POPIA regulates all organisations who process personal information. This includes information about employees, customers, suppliers and those who outsource key processing activities, share data offshore, or engage in direct marketing.
An important question then is whether or not you are required to comply with POPIA.
The majority of organisations are required to comply with POPIA. However, there are some which are exempt.
The basic test to determine whether an organisation is required to comply with POPIA is as follows:
- The organisation is domiciled in South Africa, or
- The organisation is not domiciled in South Africa, but processes personal information in South Africa (in other words, uses equipment like a server or computer located in South Africa to process personal information), unless the equipment is used only to forward personal information through South Africa.
POPIA defines
personal information very broadly to include a wide range of information that can be used to identify a data subject (natural or juristic). Notably, POPIA refers to the personal information of juristic entities, meaning that businesses will be able to enforce their data protection rights under POPIA.
POPIA also defines
processing broadly, including various actions that can be taken in relation to personal information, including its collection, receipt, storage and use. Interestingly, POPIA focuses on the location of processing rather than the location of the data subject. This means that, notwithstanding that the data subjects are in South Africa, an organisation is not required to comply if it is domiciled and processes data outside of South Africa.
If an organisation meets one or both of the legs of the test, there is still a chance that it is not required to comply with POPIA, as the processing of some personal information is excluded. For example, if you are processing purely for a personal reason or as a household activity, then POPIA will not apply. Furthermore, if the information is de-identified to the extent that it cannot be re-identified again, POPIA will not apply. A full list of exclusions is contained in section 6 of POPIA.
It is important to note that non-compliance with POPIA can result in significant penalties, up to ten years' imprisonment and/or R10 million in administrative fines. An organisation may also be required to pay compensation to data subjects for the damage they have suffered.
Parties involved in POPIA Compliance
POPIA involves three parties (who can be natural or juristic persons), being (1) the data subject, (2) the responsible party, and (3) the operator. The responsible party is the party/organisation that determines why and how personal information is processed. It is the body ultimately responsible for the lawful processing of personal information. The operator is the person/organisation who then processes the personal information on behalf of the responsible party.
Following from this are Information Officers. Every organisation has an Information Officer by default. They are responsible for ensuring the lawful processing of personal information and ensuring that the organisation complies with POPIA. The full responsibilities of the Information Officer are set out in section 55 of POPIA.
The role of Information Officer is, by default, assigned to the Chief Executive Officer or the Managing Director or equivalent officer of a private company. S/he is then entitled to delegate this to someone else. It is therefore important for organisations to determine who to appoint as Information Officer. Draft guidelines for Information Officers have been published, but have not yet been made final.
The Information Officer needs to be registered with the Information Regulator. However, this will only be possible at some point in the next 12 months. The South African Information Regulator plans to develop an electronic portal, enabling an organisation to register its Information Officer and people to access to the register of Information Officers by 3 March 2021 (section 55(2)).
Conclusion
Although data protection is complex, the costs of non-compliance are significant. It is important for organisations to ensure they're processing personal data lawfully and that they're protecting the personal data they process in a practical and effective way.
POPIA protects individual freedoms and enables the free flow of data. Now that POPIA has commenced, South Africa will become more attractive to foreign and international companies looking to outsource data processing services to South Africa. Effectively, data protection laws and international trade go hand-in-hand. POPIA will contribute towards building trust and encouraging free flow of data across South African borders.