The Protection of Personal Information Act becomes effective on 1 July, but according to a survey only 27,4% of companies are ready for it.
The Protection of Personal Information (POPI) Act becomes effective on 1 July this year. The Act ensures that each individual’s right to privacy is taken seriously and provides protection against the unlawful collection, dissemination and use of personal information including contact details, demographic information, personal history as well as communication records.
However, even once the POPI Act is effective, certain organisations can still process your personal information without your consent.
No consent is required when the individual already has a contract in place with an organisation and where the processing of their personal information is required in terms of the contract, or where there is a reason in law for collecting or processing personal information. In all other instances companies and other organisations are required to get consent from individuals before they can obtain, retain and process personal information for communication or other purposes.
Although organisations are expected to be fully compliant with the POPI Act by 1 July with all the necessary systems and processes in place, industry bodies were required to have submitted a code of conduct to the Information Regulator by 1 March 2021 according to Regulation 5 of the POPI Act.
Of the 200 companies we surveyed, only 8% scored above 80% for their POPI Act readiness, indicating that many organisations still have much work to do in this regard before the 1 July deadline.
The Credit Bureau Association, for example, has submitted its code of conduct to the Information Regulator, who has subsequently opened the code up for public comment. In South Africa credit bureaux are subject to the restrictions of the National Credit Act which governs the processing of consumer credit information. However, credit bureaux can’t process credit profile information unless they have pre-approval from the Information Regulator.
Another deadline which is looming relates to Regulation 4 of the POPI Act which requires that organisations have appointed an Information Officer by 1 May. An information Officer is responsible for, amongst other things, encouraging compliance with the POPI Act; developing and implementing a compliance framework; and ensuring that a personal information impact assessment is done to ensure that adequate measures and standards exist.
The aim of the POPI Act is to protect personal information and prevent information from being exposed to unauthorised individuals or entities. As such it requires that a set of streamlined processes and systems are established that easily identify where personal information is stored, how that information is processed physically and electronically, who has access to it as well as for what purpose it is required. Not surprisingly, becoming POPI compliant takes time and needs to be an ongoing process.
A failure to be compliant has consequences as organisations could face fines or other penalties depending on the nature of the offense with a maximum 10-year prison sentence or a R10m fine.