POPIA in South Africa and privacy laws in other countries may affect you as a business owner
Personal data, POPIA and other privacy laws
As you will no doubt be aware following the plethora of emails and messages from service providers and clients, the commencement date of the Protection of Personal Information Act was 1 July 2020 and the deadline for your business to comply was 1 July 2021.
Whatever business you are in these days, privacy and the processing of personal information is relevant. The risk of non compliance is significant and includes significant financial penalties and imprisonment (don’t worry, highly unlikely), as well as the reputational damage and administrative headaches your business might suffer.
Not only are you subject to POPIA but you might also be subject to international privacy legislation. This includes the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and the national legislation of markets that you do business in or that your clients are in.
Some businesses are more up to speed with privacy compliance than others. Given the compliance deadline has passed, there is now some urgency in getting your ducks in a row. Nicholas Bent & Associates can assist you in doing so.
POPIA quick breakdown
- POPIA took effect on July 1, 2020.
- POPIA enforcement began on July 1, 2021.
- POPIA applies to any company or organization processing personal information in South Africa, who is domiciled in the country, or not domiciled but making use of automated or non-automated means of processing in the country.
- Fines for non-compliance with POPIA can range up to 10 million ZAR (South African rands).
- Transfers of personal information outside of South Africa is prohibited by POPIA (with exceptions).
- POPIA creates nine actionable rights for South African citizens (data subjects), including but not limited to the right to access, right to correction and right to deletion.
- POPIA also creates eight conditions for lawful data processing, in which the consent of the data subject is central. It is up to websites, companies and organizations (“responsible parties”) to prove that their processing is lawful, e.g. that correct consents have been obtained from users.
- POPIA defines consent as any voluntary, specific and informed expression of will.
- POPIA defines processing as collection, receipt, recording, organization, storage, merging, linking, and more.
- POPIA defines personal information broadly as any information relating to not only a living person, but also a company or legal entity.
- POPIA allows companies and organizations to process data if it’s deemed in the user’s “legitimate interest”, creating a point of ambiguity for possible abuse and enforcement difficulties.
POPIA vs GDPR
There are key differences between POPIA and GDPR, in particular –
- POPIA also protects companies and organizations as juristic persons, where the GDPR only protects living individuals.
- Unlike the GDPR, which applies to the processing of personal data from inside the EU regardless of where the controller/processor is located, POPIA only applies to companies or organizations who are located within South Africa (with the exception of entities that make use of automated processing means in South Africa, e.g. adtech and social media companies).
- Where the GDPR clearly defines a data processor (as a natural or legal person processing personal data on behalf of the data controller), POPIA only talks about the responsible party, i.e. no “joint controller”-responsibility as we know it from the EU.
- POPIA requires all companies and organizations to appoint anInformation Officer (automatically assigned to the CEO), who’s role and responsibilities differ in important areas from the GDPR’s Data Protection Officer. In addition, POPIA also requires companies and organizations to appoint a Deputy Information Officer.
- While both POPIA and GDPR split the definition of data into personal information and special personal information (or sensitive data in the GDPR), POPIA also assigns criminal offenses to the latter.
Personal information under POPIA
POPIA has a very broad definition of personal information, basically any kind of information relating to an identifiable, living natural person, company or similar legal entity, including but not limited to –
- names, addresses, telephone numbers, email addresses,
- information about age, race, gender, appearance, characteristics, sexual orientation, pollical convictions, religious beliefs, language,
- health data such as physical or mental health, well-being, disabilities,
- online identifiers such email addresses, IP addresses, cookies, unique IDs, search and browser history, location data.
POPIA’s broad personal information definition covers activities that happen on most websites in the world, such as first- and third-party cookies collecting IP addresses, search and browser history, trackers setting unique IDs and more.
POPIA creates the following rights for South African citizens (data subjects) –
- Right to be notified about collection and processing of personal information
- Right to access personal information
- Right to request correction of personal information
- Right to request deletion of personal information
- Right to object to the processing of personal information
- Right not to have personal information processed for the purpose of direct marketing by means of unsolicited electronic communications (clearly reflecting the ePrivacy Directive and not the GDPR)
- Right to not be subject to a decision which results in legal circumstances based solely on the basis of the automated processing
- Right to complain to the Information Regulator
- Right to effect judicial remedy
In other words, South African citizens will be able to know when their personal information is likely to be collected, and have the right to consentto it before it happens; will have the ability to request that your website gives them access to see what personal information it has collected about them, as well as have that information either corrected or deleted altogether, among others.
POPIA establishes eight conditions for lawful processing of data in South Africa –
- Accountability (processing is lawful and done in a non-privacy infringing way)
- Processing limitation (processing only for the given purpose)
- Purpose specification (specific purpose must be explicitly defined)
- Further processing limitation (additional processing must still be in accordance with original purpose that the end-user gave their consent to)
- Information quality (make sure that the data is complete, accurate and updated)
- Openness (documentation of all processing operations)
- Security safeguards (must ensure protection and confidentiality of personal information)
- Data subject participation (ensure that end-users can exercise their rights to access, correct and delete their data)
All eight conditions must be met when processing personal information lawfully under POPIA.
Nicholas Bent & Associates have different levels of interventions depending on the nature and size of your business, the personal data that you process and the markets that you do business in. As well as the practices and policies that you already have in place.
Nicholas Bent & Associates will help you to understand and map your personal data and, depending on the program that is appropriate, provide you with anything from a basic set of policies, such as your internal and external privacy notices, PAIA manual, data processing addendum and security policies, to an extensive program that covers the full suite of policies, training, appointment of your Information Officers and more.
Nicholas Bent & Associates have many international clients and deal regularly with the GDPR and other foreign privacy legislation, and will also advise you on your international compliance.
Your next step is to consider your options and then start the process. Nicholas Bent & Associates will make this easier for you by providing the necessary professional support. Get started and get in touch!
Frequently Asked Questions (FAQ)
The Protection of Personal Information Act (POPIA) is South Africa’s data privacy law that empowers citizens with enforceable rights over their personal information, requires websites, companies and organizations to live up to minimum conditions for lawful processing, and establishes the Information Regulator to supervise and enforce compliance with POPIA.
The Protection of Personal Information Act (POPIA) applies to websites, companies, organizations and other legal entities who are located inside South Africa and who process personal information. However, POPIA also applies to responsible parties who are located outside South Africa, if they process personal information inside the country (not only transferring it through it).
Compliance with POPIA means asking for and obtaining the prior consent of end-users before any processing of their personal information. Compliance also means meeting several minimum requirements for lawful processing, such as documentation, security and confidentiality and ensuring that end-users can exercise their right to access, correct and have deleted already collected data.