POPIA Explained: Your 5-Minute Guide to SA’s New Data Privacy Law

Has your inbox suddenly been flooded with mails all about POPIA, privacy and new legal changes? Ours certainly have been!

Now that the dust has settled a little, we’re posting to clarify any remaining questions you might have, and give you a helpful recap about what POPIA is, and what it means going forward.

Intro to POPIA

On July 1 st 2021, South Africa’s new Protection of Personal Information Act (POPIA) came into force. With it, data, privacy and record-keeping requirements changed for thousands of organisations around South Africa. Not only for government entities and large corporates, but SMB’s, too.

In brief, the Protection of Personal Information Act (POPIA) is South Africa’s new data protection law. It’s aim is to protect individuals from harm by ensuring the their personal data is always handled correctly, prudently and with their consent.

To do this, the Protection of Personal Information Act lays out a number of specific conditions for when and how it is lawful for someone to process someone else’s personal information. It also places strict requirements on how that data is safeguarded and used.

What do the requirements include?

The POPIA requirements cover factors such as accountability, processing limitations, information quality, openness, security safeguards, and data subject participation, among others.

Some of the basic principles include:

• Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject.
• Personal information may only be processed for specific, explicitly defined and legitimate reasons.
• Personal information may not be processed for a secondary purpose unless that processing is compatible with the original purpose.
• The data subject whose information you are collecting must be aware that you are collecting such personal information and for what purpose the information will be used.
• Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorised destruction and disclosure.
• Data subjects may request whether their personal information is held, as well as the correction and/or deletion of any personal information held about them.

What is “personal information”?

For the purposes of the act, “personal information” means information relating to an identifiable, living natural person and, where applicable, an identifiable company or other similar legal entity.

Information about age, gender and race, identity numbers, telephone numbers, location information, online identifiers, and personal opinions and preferences are all included in the definition. Personal data on disabilities, physical or mental health, financial, criminal or employment histories are also included.

Who is affected by the act?

Any natural or juristic person who processes personal information – including large corporates and government – are affected. Currently, SMEs are also included.

What steps do companies have to take to comply with the act?

There are various requirements placed on companies by POPIA. Among them are the need to:

• Appoint an information officer
• Draft a privacy policy
• Raise awareness of POPIA among employees
• Report data breaches
• Only share personal information when they are lawfully allowed to

At The CRM Team, we’ve always been committed to the strictest client confidentiality and data security protocols. You trust us with your personal data, and we work hard to keep that data secure. With the passage of POPIA, we’re doubling down on that promise, to ensure your personal information is always used appropriately, transparently and in accordance with the applicable laws.

If you have any further questions about POPIA or want to get your business compliant, feel free to get in touch.