thinking guy

Is Your Business Compliant With POPI?

The publication of the Protection of Personal Information (“POPI”) draft regulations means that we are closer to enforcement … read the draft regulations and ensure your business is compliant

The purpose of POPI is to ensure that South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing personal information.

The POPI Bill was approved by the Portfolio Committee on Justice and Constitutional Development on 5 September 2012, and the Information Regulator published draft regulations under the Protection of Personal Information Act 2013 for public comment by 7 November 2017. The publication of these regulations means that enforcement is imminent.

POPI regulates all aspects of collecting and processing and using personal information, and every business in South Africa will be affected. At this stage, businesses need to consider POPI implementation projects and how compliance can be achieved.

The Act will establish minimum thresholds for the processing of personal information and will provide individuals with rights and remedies to protect their information. Non-compliant processing of personal information will be considered unlawful and could be subject to a fine, prosecution and/or imprisonment.

The regulations stipulate obligations for information officers in entities which process information and cover procedural aspects which includes:

  • The manner of objecting to the processing of personal information prescribed forms for objections to the processing of personal information, to destroy or correct personal information, and a form to submit a complaint or grievance to the regulator;
  • application form for industry codes of conduct;
  • data subjects consent to use personal information for direct marketing.

Click on this link to access the draft regulations: http://www.justice.gov.za/inforeg/docs/InfoRegSA-RegulationsDraft-Aug2017.pdf. As we previously highlighted, this will affect every entity which collects or uses personal information.