Protection of Personal Information Act – Compliance over Complacency

Many organisations have embarked on a journey to ensure that they are compliant with the Protection of Personal Information Act (POPIA), which became enforceable on 1 July 2021. With the deadline already past, it is crucial that companies have good data management practices and processes in place.

Does it all purely come down to consent?

There is a misconception that personal information cannot be processed without consent. POPIA requires that personal information may only be processed in a lawful and reasonable manner. The processing must be adequate, relevant, and not excessive. But POPIA does not state that personal information can only be processed with consent. POPIA sets out other grounds on which information can be processed. Consent is just one of the conditions you can rely on to ensure you are obtaining and processing the information lawfully. For example, personal information can also be processed if it is necessary to carry out obligations under a contract or if the processing complies with an obligation imposed by law. Processing is even allowed if it is in your legitimate interest or the legitimate interests of a third party.

Urgent steps to take if you are not yet compliant 

  • Appoint and register an information officer

This individual needs to be from within the organisation, with POPIA designating the head of any private body by default. The information officer will be responsible for encouraging compliance within your organisation, liaising with the Information Regulator, developing a compliance framework and ensuring it is implemented, monitored, and maintained, conducting internal sessions on POPIA awareness, and more.

  • Partner with an expert

Given that the deadline has now passed, it is vital to ensure that you get assistance and guidance from an expert as soon as possible. Services offered in respect of data protection and privacy include:

  • Advising on the requirements and effects of the POPIA
  • Compliance training in respect of POPIA
  • Conducting of privacy impact assessments
  • Reviewing and updating contracts, policies, and other documents in relation to data protection and privacy

If you are not yet compliant it is critical to engage with a professional on the matter and consult with legal experts to ensure you are sufficiently covered, otherwise you open yourself up to potential fines and reputational damage.

It all amounts to compliance over complacency. The onus falls on an organisation to maintain the integrity and confidentiality of information to prevent loss, damage, and unauthorised access to personal data. Not being compliant can have serious consequences for an organisation, both from a financial and reputational perspective.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.