Maintaining compliance with the Protection of Personal Information Act – Part 1: Application and Exceptions
Provided by KISCH IP
With an entrenched history in Africa, KISCH IP has, for the last 147 years, assisted clients from small to large businesses in all sectors, in safeguarding their intellectual property rights. While acknowledging our establish... more
By Anola Naidoo
16 Aug 2021
By now, businesses are likely all aware that the Protection of Personal Information Act 4 of 2013 (POPIA) is in full force and requires all businesses which process personal information of persons to comply with POPIA’s eight conditions for lawful processing, to continue processing the personal information. In the midst of a global pandemic and economic unrest, you have hopefully managed to have a POPIA policy drafted to meet the bare minimum requirements to absolve you of those fierce fines and sanctions.
This article deals with maintaining compliance with POPIA, with the aim of providing insight into the legal requirements of POPIA and the tools required to prepare the necessary policies and procedures that must coexist with your POPIA policy if you truly wish to be compliant.
The rush of WhatsApp, Facebook messages, marketing database opt-ins and implied consents are proof that many businesses were led to believe compliance is as easy as counting to three. Well, it is not; it is more like counting to three in a foreign language.
You now must ask yourself:
- I have this policy, I sent those messages, what now?
- Am I really compliant?
- How long does this compliance last?
- Why is there no POPIA compliance certificate?
- Am I really safe from those sanctions?
In the rush following POPIA’s introduction, many businesses did not have the time or resources to conduct a proper personal information impact assessment, which is ideally required before any policies can be drafted. A business needs to identify what personal information it is processing, the various mediums of processing it can undertake, as well as why and when it is processing the personal information. The business will also need to establish whether any of the personal information constitutes special personal information or if it is transferred or stored outside the Republic of South Africa. Foreign entities need to understand whether they have processes/ systems/ third party service providers in South Africa that process personal information on their behalf.
It is important to note that ‘personal information’ and ‘processing’ are very widely defined in POPIA. Personal Information refers to any information that can identify a living person or existing juristic person, including contact details, biographic details, medical information, financial information, criminal information, employment information, educational information, biometric, opinions, preferences and geolocation. If you process any information pertaining to minors, or a person’s religious or criminal behaviour, political beliefs, biometric information, race, health or trade union membership, you are processing special personal information and compliance with POPIA becomes more onerous.
Any operation or activity or any set of operations, whether or not by automatic means including the use, collection, communication, organisation, decryption, storage, deletion, transfer, dissemination, updating, modifying, merging, linking and copying of the above personal information has been defined by one word in POPIA, i.e., ‘processing’.
Should you be found to be processing personal information and/or special personal information, you will need to ascertain whether any exemptions are applicable for you to continue processing the personal information. In terms of POPIA, whenever you intend to process personal information for domestic/ household purposes, journalistic, statistical, historical or research purposes, you need not comply with the eight conditions which POPIA prescribes for the lawful processing of personal information.
However, note that compliance with POPIA is still relevant for the actual collection and receipt of the personal information that can identify a person and that will be used for statistical, historical or research purposes, unless the personal information is encrypted and when decrypted incapable of identifying a person. Information deliberately made public by a person or personal information which is processed for a legitimate purpose e.g., for the purpose of fulfilling an obligation in terms of an agreement, may also be processed without consent.
This last exception has been used by many to excuse compliance with POPIA, but a key consideration in relation to this exception is that every bit of personal information must be processed for a legitimate purpose. For example, an email address may be required to communicate between the contracting parties and perform in terms of the contract, a private cellular phone number may not qualify under this exception (depending on the circumstances). Also consider that if one relies on this exception, and the Information Regulator does an investigation into the processing, the business will have to spend time and resources proving to the Information Regulator how every bit of personal information is processed for a legitimate purpose. Had the business first identified what personal information it needed to process and advised the data subject in order to obtain his/her informed consent to the processing, the business could have saved its time and resources and focused on doing business. Put differently, any amount of time and resources which a business does not spend in becoming properly compliant with POPIA will be time it will have to spend in dealing with the fallout of non-compliance.
Accordingly, it is better to do a personal information impact assessment a bit late rather than not at all. Once you have done so and have determined that you are indeed processing personal information of a living natural person and/or existing juristic person, you will proceed to comply with the eight conditions for lawful processing.
Should you require any further assistance with confirming or maintaining compliance with POPIA, or if you have any questions regarding POPIA, please do not hesitate to contact KISCH-IP’s data protection department at firstname.lastname@example.org or email@example.com.
- The POPIA prior authorisation conundrum – What is prior authorisation, and do you need it for your business?
- Registration of an Information Officer under PAIA and POPIA – Deadline looming….
- Getting compliant with the Protection of Personal Information Act (POPIA)
- 6 tips for easy POPIA compliance
Anola Naidoo is an attorney at KISCH IP's commercial department. Anola specialises in the drafting of commercial agreements, consumer law compliance, company registrations, business enterprise management, commercial law and litigation. Read more about Anola Naidoo