When is consent required to process your information?

play article
Subscribers can listen to this article
Michelle Dickens, uitvoerende hoof van TPN
Michelle Dickens, uitvoerende hoof van TPN

The Protection of Personal Information Act becomes effective on 1 July, but according to a survey only 27,4% of companies are ready for it.

The Protection of Personal Information (POPI) Act becomes effective on 1 July this year. The Act ensures that each individual’s right to privacy is taken seriously and provides protection against the unlawful collection, dissemination and use of personal information including contact details, demographic information, personal history as well as communication records.

However, even once the POPI Act is effective, certain organisations can still process your personal information without your consent.

No consent is required when the individual already has a contract in place with an organisation and where the processing of their personal information is required in terms of the contract, or where there is a reason in law for collecting or processing personal information. In all other instances companies and other organisations are required to get consent from individuals before they can obtain, retain and process personal information for communication or other purposes.

Although organisations are expected to be fully compliant with the POPI Act by 1 July with all the necessary systems and processes in place, industry bodies were required to have submitted a code of conduct to the Information Regulator by 1 March 2021 according to Regulation 5 of the POPI Act.

According to a survey conducted by TPN Credit Bureau on how ready companies are for POPI, only 27.4% are process ready and only 40.3% are ready from a governance perspective. Technological readiness scored the highest at 57%, which is still a far cry from compliant.

Of the 200 companies we surveyed, only 8% scored above 80% for their POPI Act readiness, indicating that many organisations still have much work to do in this regard before the 1 July deadline.

The Credit Bureau Association, for example, has submitted its code of conduct to the Information Regulator, who has subsequently opened the code up for public comment. In South Africa credit bureaux are subject to the restrictions of the National Credit Act which governs the processing of consumer credit information. However, credit bureaux can’t process credit profile information unless they have pre-approval from the Information Regulator.

Another deadline which is looming relates to Regulation 4 of the POPI Act which requires that organisations have appointed an Information Officer by 1 May. An information Officer is responsible for, amongst other things, encouraging compliance with the POPI Act; developing and implementing a compliance framework; and ensuring that a personal information impact assessment is done to ensure that adequate measures and standards exist.

The aim of the POPI Act is to protect personal information and prevent information from being exposed to unauthorised individuals or entities. As such it requires that a set of streamlined processes and systems are established that easily identify where personal information is stored, how that information is processed physically and electronically, who has access to it as well as for what purpose it is required. Not surprisingly, becoming POPI compliant takes time and needs to be an ongoing process.

A failure to be compliant has consequences as organisations could face fines or other penalties depending on the nature of the offense with a maximum 10-year prison sentence or a R10m fine.

Read more
This article was written exclusively for finweek's 23 April newsletter. You can subscribe to the weekly newsletter here.

We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For 14 free days, you can have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today. Thereafter you will be billed R75 per month. You can cancel anytime and if you cancel within 14 days you won't be billed. 
Subscribe to News24
Rand - Dollar
Rand - Pound
Rand - Euro
Rand - Aus dollar
Rand - Yen
Brent Crude
Top 40
All Share
Resource 10
Industrial 25
Financial 15
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Government tenders

Find public sector tender opportunities in South Africa here.

Government tenders
This portal provides access to information on all tenders made by all public sector organisations in all spheres of government.
Browse tenders