Maintaining Compliance with the Protection of Personal Information Act (POPIA) A series of compliant events – Part 1: Application and Exceptions
By now, businesses are likely all aware that the Protection of Personal Information Act 4 of 2013 (POPIA) is in full force and requires all businesses which process personal information of persons to comply with POPIA’s eight conditions for lawful processing, in order to continue processing the personal information. In the midst of a global pandemic and economic unrest, you have hopefully managed to have a POPIA policy drafted to meet the bare minimum requirements to absolve you of those fierce fines and sanctions.
This deals with maintaining compliance with POPIA, with the aim of providing insight into the legal requirements of POPIA and the tools required to prepare the necessary policies and procedures that must coexist with your POPIA policy if you truly wish to be compliant.
The rush of WhatsApp, Facebook messages, marketing database opt-ins and implied consents are proof that many businesses were led to believe compliance is as easy as counting to three. Well, it is not; it is more like counting to three in a foreign language.
You now have to ask yourself:
- I have this policy I sent those messages; what now?
- Am I really compliant?
- How long does this compliance last?
- Why is there no POPIA compliance certificate?
- Am I really safe from those sanctions?
In the rush following POPIA’s introduction, many businesses did not have the time or resources to conduct a proper personal information impact assessment, which is ideally required before any policies can be drafted. A business needs to identify what personal information it is processing, the various mediums of processing it can undertake, as well as why and when it is processing the personal information. The business will also need to establish whether any of the personal information constitutes special person information or if it is transferred or stored outside the Republic of South Africa. Foreign entities need to understand whether they have processes/ systems/ third party service providers in South Africa that process personal information on their behalf.
It is important to note that ‘personal information’ and processing’ are very widely defined in POPIA. Personal Information refers to any information that is capable of identifying a living person or existing juristic person, including contact details, biographic details, medical information, financial information, criminal information, employment information, educational information, biometric, opinions, preferences and geolocation. If you process any information pertaining to minors, or a person’s religious or criminal behaviour, political beliefs, biometric information, race, health or trade union membership, you are processing special person information and compliance with POPIA becomes more onerous.
Any operation or activity or any set of operations, whether or not by automatic means including the use, collection, communication, organisation, decryption, storage, deletion, transfer, dissemination, updating, modifying, merging, linking and copying of the above personal information has been defined by one word in POPIA, i.e., ‘processing’.
Should you be found to be processing personal information and/or special personal information, you will need to ascertain whether any exemptions are applicable for you to continue processing the personal information. In terms of POPIA, whenever you intend to process personal information for domestic/ household purposes, journalistic, statistical, historic or research purposes, you need not comply with the eight conditions which POPIA prescribes for the lawful processing of personal information.
However, note that compliance with POPIA is still relevant for the actual collection and receipt of the personal information that is capable of identifying a person and that will be used for statistical, historic or research purposes, unless the personal information is encrypted and when decrypted incapable of identifying a person. Information deliberately made public by a person or personal information which is processed for a legitimate purpose e.g., for the purpose of fulfilling an obligation in terms of an agreement, may also be processed without consent.
This last exception has been used by many to excuse compliance with POPIA, but a key consideration in relation to this exception is that every bit of personal information must be processed for a legitimate purpose. For example, an email address may be required to communicate between the contracting parties and perform in terms of the contract, a private cellular phone number may not qualify under this exception (depending on the circumstances). Also consider that if one relies on this exception, and the Information Regulator does an investigation into the processing, the business will have to spend time and resources proving to the Information Regulator how every bit of personal information is processed for a legitimate purpose. Had the business first identified what personal information it needed to process, and advised the data subject in order to obtain their informed consent to the processing, the business could have saved its time and resource and focused on doing business. Put differently, any amount of time and resources which a business does not spend in becoming properly compliant with POPIA will be time it will have to spend in dealing with the fallout of non-compliance.
Accordingly, it is better to do a personal information impact assessment a bit late rather than not at all. Once you have done so, and have determined that you are indeed processing personal information of a living natural person and/or existing juristic person, you will proceed to complying with the eight conditions for lawful processing.
Should you require any further information or assistance in implanting, confirming or maintaining compliance with POPIA or if you have any questions regarding POPIA, then please do not hesitate to contact our data protection department at firstname.lastname@example.org or email@example.com.