The Protection of Personal Information Act, No 4 of 2013 (POPI) is finally here. POPI was signed into law by the President of South Africa on 19 November 2013 and published in the Government Gazette on 26 November 2013. Up until 1 July 2020, only certain provisions of POPI were in force (such as those mandating the establishment of the Information Regulator, being the regulatory body established in terms of POPI), while the primary provisions dealing with personal information were not yet operative. The remaining provisions of POPI finally came into force and effect on 1 July 2020, save for a few provisions related to the amendment of laws and the functions of the Human Rights Commission.

What is POPI? POPI regulates the collection, storage, use and dissemination of personal information, and promotes the protection of personal information processed by public and private bodies (referred to as responsible parties under POPI). It introduces certain conditions to establish minimum requirements for the processing of personal information. It will have an impact on any business which collects, stores, processes or disseminates any personal information.

What is personal information? Personal information includes, in broad terms, the following: 

• information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, belief, culture, language and birth of a person; 
• information relating to the education or the medical, financial, criminal or employment history of a person; 
• the e-mail address, physical address and telephone number of a person; 
• the biometric information of a person; 
• the personal opinions, views or preferences of a person; and 
• the name of a person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Personal information is found in 5 key areas: market research via direct marketing; online browsing from clients and customers via websites; employment agreements; customer-facing service agreements and third-party supply agreements. Personal information is collected, stored and disseminated all of the time – sending an email, writing notes about an applicant in a job interview, filling in personal information at a security gate or building entrance, throwing documents in the bin – all of this falls within the ambit POPI.

What does this mean for start-ups? As of 1 July 2021, all businesses who process personal information will be considered responsible parties and be required to comply with the provisions of POPI.

What do businesses need to do now? Businesses should carry out a review of their company policies and procedures to ascertain the extent to which they comply with POPI's requirements and, to the extent that they fall short, they should take appropriate to remedy such non-compliance. In carrying out such a review, the typical areas of focus are the following: 

• make sure that the business has a POPI policy;
• make sure that the business has registered their "information officer" responsible for ensuring compliance with POPI and the Promotion of Access to Information Act (PAIA), including the development and publication of an access to information manual (i.e. a PAIA manual); 
• check that all existing company policies and procedures are POPI compliant (including any IT policy, market research/direct marketing methods, and online terms and conditions); 
• if any personal information is shared among group companies/suppliers/clients across international borders, ensure that these data transfers are carried out in compliance with the requirements of POPI; 
• ensure that all customer facing documentation and supply agreements are POPI compliant; 
• check that all employment agreements (including application forms, permanent, fixed term, independent contractor, and consultancy agreements) are POPI compliant; and 
• ensure that any other documents specific to the business which regulate the collection, storage or dissemination of personal information are POPI compliant (including implementing records retention and destruction policies, implementing complaints processes for breach of personal information, and educating staff members).

What are the obligations on businesses? Businesses must ensure that the necessary consents for the collection, storage and dissemination of personal information are obtained, as and when required. In this regard, POPI prescribes certain minimum requirements for where, how, and why personal information is collected, stored, and transferred. The important steps include: (1) obtaining consent from the persons whose personal information is collected, to the extent required; (2) restricting any collection, storage and dissemination to what is strictly necessary and the specific and lawful purpose for which collected; (3) ensuring that records of personal information are not retained any longer than is necessary for achieving the purpose for which the information was collected; (4) ensuring information accuracy; (5) ensuring that persons are aware what information is stored, the reason for storage, and their obligations and rights as regards such personal information; and (6) ensuring that the necessary security safeguards to secure the integrity and confidentiality of the personal information collected are in place. Personal information includes so much, that compliance cannot be achieved by one person only – the whole business needs to take responsibility for POPI compliance. 

What are the implications of non-compliance? Non-compliance with the provisions of the Act bears the risk of incurring significant penalties. In terms of section 107 of the Act, any person who obstructs the Regulator, fails to comply with an enforcement notice, gives false evidence before the Regulator, or fails to ensure lawful conditions for processing, is liable, on conviction, to a fine or imprisonment for a period not exceeding 10 years or to both a fine and such imprisonment. Any person who fails to notify the Regulator if processing is subject to prior authorisation, breaches the duty of confidentiality, obstructs the execution of a warrant, or fails to comply with an enforcement notice is liable, on conviction, to a fine or imprisonment for a period not exceeding 12 months or to both a fine and such imprisonment. The Act also provides for certain administrative fines, which amount may not exceed R10 million.

Written by Justine Krige, Director in the Corporate & Commercial practice at Cliffe Dekker Hofmeyr