Monday, 23 April 2018

Protection of Personal Information Act (POPIA) for Small Businesses

I often get asked: does POPIA apply to my small business?  The answer is definitely yes. POPIA gives effect to section 14 of the Constitution, which provides that everyonehas the right to privacy – the right to privacy includes a right to protection against the unlawful use of personal information. 

POPIA sets out data protection principles and provides guidelines on how to deal with personal information.  It follows international trends and puts South African on par with global best-practice in so far as data protection is concerned.  An Information Regulator has already been established, and this body will have the ability to impose significant fines and investigate non-compliance.  Although the Act was signed into law in 2013, it only commenced partial operation in 2014, and has yet to commence full operation: we expect this will happen during 2018, and once the POPIA is fully operative, all businesses will have one year to comply – or face severe sanctions.

Does your business collect, store or process any personal information? Personal information is any data relating to an identifiable living or juristic personand includes: contact details, demographic information, personal history, product preferences, or any other information that can be used to identify a person.   

It is highly likely most small to medium businesses will answer “yes” – in that most – if not all – businesses process some personal information. POPIA requires you to ensure data is processed in accordance with eight ‘conditions’: the conditions oblige you to only collect information with a specific purpose; store it safely; ensure the information is relevant and accurate; only collect what is required; and allow the “subject” to inspect any information you hold.

Importantly, personal information can only be collected if the person has “opted-in”. In other words, the person must specifically agree to the information being collected (subject to an exception dealing with existing clients).

How can you comply with POPIA?  Ensure you have a brief, written policy outlining how you process personal information. Think carefully about how your business uses data, and why – is the use of personal information necessary?  If so, document it carefully and ensure you are familiar with POPIA.