POPIA 4 OF 2013 - NOW WHAT?

POPIA 4 OF 2013 - NOW WHAT?

POPIA 4 OF 2013 - NOW WHAT?

The Protection of Personal Information Act of 2013 hit South Africa with a bang on the 1^st of July 2021 and even though this Act has been lingering around since 2013, very few organisations and business were ready for the practicalities in respect of POPIA.  Everyone sent OPT IN emails in bulk, facebook groups posted POPIA rules which make little sense in practical terms and even whatsapp groups got onto the band wagon. Very few people really understood why and how OPT INs or OPT OUTs are required and where POPIA terms should appear. All of this of course resulting in chaos.

Some of the confusion which was experienced relate to:

1. Organisations' existing client contact data base and whether such data base had to be "reset" and restarted on 1 July 2021? Many people were unsure what to do with contact details collected before 1 July 2021 and how to use the details post 1 July 2021;
2. The lack of industry standards in respect of Policies and Consent contents;
3. How canvassing within businesses would look and how such businesses could or should use their customer contact details post 1 July 2021;
4. The extent of the cyber risks which exist within the POPIA framework and the immediate need for employee awareness and training;
5. Who the Information Officer should be, whether a Deputy Information Officer would be necessary and how the registration at the Regulator would work;
6. How Covid related personal information is to be dealt with and provided for in line with POPIA;
7. The integration of POPIA and PAIA. Very few people know about PAIA and what that is about;
8. How social media content within business and personal pages are to be protected.

And so the list goes on.

The good news is that the dissemination of POPIA is not as complicated as what it would appear and whilst industry Codes of Conduct currently remains outstanding, businesses are easily able to comply with the very minimum POPIA requirements by following these steps:

1. Putting together a set of data privacy rules referencing the POPIA core principles in the form of a DATA PRIVACY POLICY is a good start. This Policy will serve as a guideline for customers and clients as well as employees within the business and would be the reference source in the event of the Information Regulator requiring proof of the businesses' rules;
2. Equally important is the implementation of a set of internet and email usage rules applicable to the employees within the business. It is a known fact that most data breaches occur electronically and as a result, businesses should use this POPIA opportunity to upskill employees in the field of cyber risks, email interceptions and how to avoid inviting viruses into the system. The best way to provide for such internal rules is in the form of an INTERNAL INTERNET USAGE POLICY, again setting out the rules clearly;
3. Implementing Policies within a business requires the buy in of the employees and in order to prove that employees received training in respect of the Policies as well as the practicalities surrounding POPIA, an EMPLOYEE DECLARATION for signature by all employees is advisable for all businesses and organisations. Without a signed declaration, employees are easily able to escape proper management accountability;
4. Personal information is often shared between businesses in order for services to be rendered. POPIA requires that an agreement be created between such businesses in terms of which certain undertakings are given by both the businesses. Without a signed agreement between the businesses, liability is difficult to determine and risk of claims increase. For example: where a business shares its employee and customer details with an outsources payroll support company or where the same information is shared with a third party accountancy firm. These agreements are commonly referred to as OPERATOR'S AGREEMENTS and it is the duty of the business who primarily collects the personal information to draft such an agreement for signature by the third party service provider;
5. Reviewing and amending standard customer or client personal information forms is a necessity since some form of POPIA reference should appear on these forms. In addition, Consents are required to be obtained where personal information is required to be completed on these forms;
6. The business or organisation's Information Officer needs to be appointed by means of a RESOLUTION passed by management and once the appointment is confirmed, the registration of the Information Officer is required at the Information Regulator through its online registration portal. Information Officers require training and it is advisable that a proper written guideline is prepared for usage by these individuals;
7. Businesses and organisations often forget to address their standard "disclaimer" which usually appear as footers on emails and on the landing website pages. Implementing a property disclaimer and/or placing the Data Privacy Policy on the website is not only a POPIA requirement but add confidence in the minds of customers or clients.