POPIA and Your Business: A Practical 5-Step Action Plan to Implement Now

“By failing to prepare you are preparing to fail” (Benjamin Franklin)

The media is filled with warnings about the dangers of not complying with POPIA (the Protection of Personal Information Act 4 of 2013) by 1 July 2021, and the risks of non-compliance are substantial.

Visit the Information Regulator’s website for more information.

You have until 30 June 2021 to become fully POPIA compliant. The penalties for getting it wrong are substantial. Make sure to get your business up to date and compliant.

We set out five (5) practical steps below to assist your compliance journey.

Before we start on the action plan, you need to understand that you will almost certainly have to comply fully with POPIA as soon as you in any way “process” (collect, use, manage, store, share, destroy and the like) any personal information relating to a “data subject” (customers, members, employees and so on), you are a “responsible party”. Very few businesses will fall outside that broad net. Equally you are unlikely to fall under exemptions like that applying to information processed “in the course of a purely personal or household activity”.

Let’s get going with the steps:

1. Information Officer

  • Identify an “Information Officer” who will be responsible (and liable) for all compliance duties, working with the Regulator, establishing procedures, and training your team in awareness and compliance.
  • You are automatically your business’ Information Officer if you are its “Head” i.e. a sole trader, any partner in a partnership, or (in respect of a “juristic person” such as a company) the CEO, MD or “equivalent officer”.
  • You, your partnership or your company can “duly authorise” another person in the business (management level or above) to act as Information Officer and you can designate one or more employees (again management level or above) as “Deputy Information Officers”.
  • You will need to register both Information Officers and Deputy Information Officers with the Regulator. 

2. What, how and why

  • Assess what personal information you currently hold, how you hold it, and why you hold it.
  • To collect and “process” such information lawfully, you need to be able to show that you are acting lawfully, reasonably in a manner that doesn’t infringe the data subject’s privacy, and safely. 
  • You must show that “given the purpose for which it is processed, it is adequate, relevant and not excessive”.
  • Data can only be collected for a specific purpose related to your business activities and can only be retained so long as you legitimately need to or are allowed to keep it.   

3. Check security measures and know what to do about breaches

  • You must “secure the integrity and confidentiality of personal information in [your] possession or under [your] control by taking appropriate, reasonable technical and organisational measures to prevent … loss of, damage to or unauthorised destruction of personal information … and unlawful access to or processing of personal information.”
  • You are going to have big problems if there is any form of breach from a risk that is “reasonably foreseeable” unless you can prove that you took steps to “establish and maintain appropriate safeguards” against those risks.
  • Bear in mind that whilst cyber-attacks tend to get the most media time, there are also other risks out there.
  • Any actual or suspected breaches (called “security compromises” in POPIA) must be reported “as soon as reasonably possible” to both the Information Regulator and the data subject/s involved. 
  • If third parties (“operators”) hold or process any personal information for you, they must act with your authority, treat the information as confidential, and have in place all the above security measures.

4. Direct marketing

  • Most businesses don’t think of themselves as doing any “direct marketing”, but the definition is wide and includes “any approach” to a data subject “for the direct or indirect purpose of … promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject…”.
  • For example, just sending an email or WhatsApp messages your customers about a new product or a special offer will put you firmly into the realm of direct marketing.
  • If your marketing approach is by means of “any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail”, you must observe strict limits.
  • Whilst you can, as a general proposition, market existing customers in respect of “similar products or services”, there are limits and recipients must be able to “opt-out” at any stage. Potential new customers can only be marketed with their consent, i.e. on an “opt-in” basis. 

5. Procedures and training

  • Cover how you will collect the data, process it, store it, for how long, for what purpose/s and so on.
  • What consent forms do you need and when/how are they to be completed and stored?   
  • You are much less likely to have a POPIA problem if everyone in your business understands what your procedures are and implements them as a matter of course.

This is a complex topic. What is set out above is of necessity no more than a simplified summary of a few practical highlights.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.