The Protection of Personal Information Act 4 of 2013 (“POPI“) which was signed into law in November 2013. The provisions of the Act came into effect on 1 July 2020 with the grace period ending on 1 July 2021.
Organisations must ensure that they comply with the POPI Act as the Information Regulator will start enforcing the POPI Act when the grace period ends.
The purpose of POPI is to ensure that all South African institutions act responsibly when collecting, processing, storing and sharing another entity’s personal information.
It is important to note though that this right to protection of “personal information” is not just applicable to natural persons but any legal entity, including companies. While consumers now have more rights and protection, organisations are considered “responsible parties” and have the same obligation to protect other parties’ personal information. As a company this would include protecting information about your employees, suppliers, vendors, service providers, business partners, private and public (government) bodies, sole proprietors, traders and juristic persons.
Organisations should aim to:
- Understand their legal obligations under the Act;
- Conduct a personal information impact assessment and audit;
- Implement written privacy and data protection policy and procedures within workplace systems for processing of personal information and undertake regular reviews thereof;
- Designate an Information Officer and deputy information officers if required;
- Conduct internal training to employees, internal monitoring and auditing;
- Respond promptly to data breaches and taking remedial actions;
- Implement information security measures;
- Review direct marketing practices;
Should you require legal services in understanding, drafting and implementing POPI policies, please contact Livingston Leandy Inc for practical legal advice, direction and a unique tailored strategy for your organisation.