POPI in the news

PAIA registration

With everyone focusing on the deadline of 30 June 2021 for the implementation of the POPI Act, many lost sight of the fact that this was to also be the date for all entities to comply with the PAIA (Public Access to Information Act 2 of 2000). Fortunately, the powers that be understood that this would be a bridge too far and extended the compliance deadline for PAIA to 31 December 2021.

This legislation forms the counterbalance to the POPIA, and ensures that entities disclose sufficient information to allow the public at large to make informed decisions. Public entities have had to comply with the act for many years, as well as larger private entities. On 31 December 2021, the remainder of entities are to become compliant.

Due to the publication and coming into effect of the Protection of Personal Information Act, a number of the conditions within the Act were amended: compliance is now also monitored and enforced by the Information Regulator of South Africa. And further, the PAIA manual is to be made available at your main place of business, as well as your website (where applicable).

Once again, the extension only applies to certain entities as published in the Government Gazette on 30 June 2021 – click on the link here to view notice.

Update on registering your Information Officer

Due to the popularity of the POPI Act, the registration portal for company information officers crashed towards the end of June 2021.

In all seriousness, though, the portal crashed due to the fact that so many of you are law-abiding citizens who want to comply with the legislation. The office of the Information Regulator of South Africa accepts that the fact that their portal is down prevents many businesses from performing online registrations. As such, they published a notice to state “that there will be no deadline for registration of Information officers (IO) and Deputy Information Officers (DIO); this means that no responsible party will be held liable for not registering by 30 June 2021” (Media Statement of 22 June 2021).

Does this mean that Information Officers do not need to be appointed? Definitely not – every entity must still appoint their Information Officers as before, and must have the necessary documentary proof available (see guidance note of 1 April 2021, Annexure B and Annexure C, as applicable).

If you would like to send your registration forms (included in the EasyPOPI toolkit), you can email them to registration.IR@justice.gov.za

Amazon gets $888mil fine

Amazon is the latest target of the GDPR law makers. With a whopping $888mil fine it will be the biggest to date. Amazon says the fine is unfounded and will rigorously defend themselves. Amazon’s revenue was $26.9bil in 2020. So, the fine equates to 3% of annual turnover. Just imagine how much such a fine will be in your business. Some businesses run at this profit margin which could mean that you have to hand over all your profit for the year. The POPI act is very similar to the GDPR and fines will be in line with what Europe is doing as a percentage of turnover or revenue. In fact it will be no surprise if South Africa uses the learnings from the GDPR to calculate fines.

Have you started your POPI compliance journey yet? The deadline was 1 July 2021 which means that you can now be fined. Don’t be fooled thinking that you can just draft your own POPI consent letter that you have copied from one of the many emails you have received. The very fact that businesses send out such letters is evidence that there is lots of procedures and processes that have been put in place behind the scenes.

POPIA requires you to look at the full law and comply with ALL aspects of it. Contact us to help you with your POPI implementation today.

Information Regulator Portal Issues

Further to our blogpost of 22 June, the Information Regulator has indicated that they will not penalise anybody for missing the registration deadline on their online portal due to their technical issues they are experiencing. This does not mean that the deadline of 30 June is not in effect anymore, it only means that they are acknowledging that they are experiencing huge issues. We advise all our customers to use the internal Information Officer appointment letter and keep it on record as part of your POPI Manual. In the meantime, the Information Regulator are looking into different means to register your Information Officer. Further to the portal having technical issues it also doesn’t cater for a CEO to be the Information Officer for multiple organisations which is also allowed. The POPI act will still come into force from 1 July and all responsible parties that are not compliant by the deadline face potential fines. Don’t delay anymore! Download the EasyPOPI DIY Toolkit today.

Limited impact of Regulator’s extension in law

On or about the 17th day of June 2021, the Information Regulator {POPIA regulator} responded to a Section 57 and Section 58 {according to Section 114} of the POPIA Act request for extension submitted by Business Unity South Africa on 29 May 2021.

The Regulator indicated that the processing of Information subject to the Regulator’s prior authorization might continue without prior approval. However, from 01 February 2022, prior governmental consent is needed before processing.

Section 57-59 of the Act refers to processing subject to prior authorization. It says a responsible party must obtain prior authorization from the Information Regulator if the Responsible Party plans to process Information:

  • which contains any unique identifiers of Data Subjects for a purpose other than the one intended explicitly at the collection and to link the Personal Information processed with Information processed by a Responsible Party (S57(1)(a).
  • in respect of criminal or unlawful conduct (S57(1)(b).
  • for credit reporting (S57(1)(c).
  • which is defined as Special Personal Information or the Information of a child transferred to a foreign country that does not provide an adequate level of protection in its law.

Section 58(1) & (2), which is the postponed Section in question, pertains to processing, subject to the Regulator's prior authorization. No Responsible Party is allowed to carry out Information Processing until the Regulator:

  • has completed its investigation and has issued a Statement concerning the lawfulness of the Information Processing. Section 58 (5)
  • or has informed the Responsible Party within four weeks of the Notification whether or not it will conduct a more detailed investigation which must be done within the period not exceeding 13 weeks from the date of informing the Responsible Party.

It seems to us that the extension in question has an extremely limited impact on the June 30 POPIA deadline.

Do I have to be POPI compliant?

The 8 principles of the POPI Act are Accountability, Processing Limitation, Further Processing limitation, Purpose specification, Information Quality, Openness, Security safeguards and Data Subject Participation. We often get asked whether the law applies to a particular business and whether they need to implement a POPI program. Related to the first principle namely Accountability, every business as well as sole proprietor and individuals that process personal information in South Africa must subscribe to the POPI Act from the 1st of July 2021. The law reads as follows:
POPIA applies to the PROCESSING of PERSONAL INFORMATION [of the “DATA SUBJECT”] and according to Section 3(1)(a) and Section 3(1)(b), PERSONAL INFORMATION entered in a RECORD by or for a RESPONSIBLE PARTY by making use of automated or non-automated means, provided that when the RECORD of PERSONAL INFORMATION IS PROCESSED by non-automated means (e.g. paper and text, photographs, x-rays), it forms part of a FILING SYSTEM or is intended to form part of a FILING SYSTEM and in terms of Section 3 (1)(b)(i), the RESPONSIBLE PARTY is domiciled in the Republic OR in terms of Section 3(1)(b)(ii) the RESPONSIBLE PARTY is not domiciled in the Republic, but makes use of automated or non-automated means, unless the PROCESSING relates only to the FORWARDING OF PERSONAL INFORMATION.

Then people ask, but do I process information? The test is set out as per below: PROCESSING means any activity, whether or not by automatic means relating to PERSONAL INFORMATION, including OBTAINING according to Section 1(a), the following concerning PERSONAL INFORMATION:

  • Collection
  • Receipt
  • Recording
  • Organization
  • Collation
  • Storage
  • Updating
  • Modification
  • Retrieval
  • Alteration
  • Consultation
  • Use in general

PROCESSING further means any activity, whether or not by automatic means relating to PERSONAL INFORMATION, including DISSEMINATION according to Section 1(b) means the Dissemination of Personal Information by means of:

  • Transmission
  • Distribution

Processing also pertains to what is described as Dissemination, which includes all activities in respect of DATA SUBJECT’s PERSONAL INFORMATION.
PROCESSING means any activity, whether or not by automatic means relating to PERSONAL INFORMATION, including DESTROYING according to Section 1(c) means the following concerning personal information:

  • Merging – Departments
  • Linking
  • Restriction
  • Degradation
  • Erasure
  • Destruction

PROCESSING SUBJECT TO PRIOR AUTHORISATION means that a RESPONSIBLE PARTY must obtain prior authorization from the Information Regulator if the RESPONSIBLE PARTY plans to PROCESS INFORMATION in terms of Section 57(1)(a), which contains any unique identifiers of Data Subjects for a purpose other than the one specifically intended at collection and with the aim of linking the Personal Information being processed, with information processed by a Responsible Party and also in terms of Section 57(1)(b) in respect of criminal or unlawful conduct, also Section 57(1)(c) for the purpose of credit reporting and Section 57(1)(d) which is defined as Special Personal Information or is the Information of a child which is being transferred to a foreign country that does not provide an adequate level of protection in its Law.
When we look at the above it is clear to see that virtually all organizations have to subscribe to the law and implement a POPI program. EasyPOPI has helped a variety of businesses in a wide range of industries namely Finance, Accounting, Tax Practitioners, Educational institutions, Estate Agencies, Manufacturing, Agriculture, Mining Suppliers, Body Corporates, IT specialists, Cyber security, Medical Practices, Laboratories, Law Firms, Retail and Consultancies just to name a few. Don’t delay, get POPI ready today with our EasyPOPI DIY Toolkit for only R1999.

Direct marketing and consent

Section 69 of the POPI Act outlaws direct marketing by means of any form of electronic communication unless the data subject has given their consent. Such an electronic communication obviously includes emails, SMSs and automatic calling machines. You can still market similar products to your customer and also send them notifications like financial transactions, alerts and debt collection as long as they can easily opt out of the communication. Consent could mean that you a have a contractual agreement or that you collected customers’ data from form requests on your website, call requests or newsletter subscriptions. Make sure to file these consents in a central place. Let’s say you are a medical practice that need to get POPI compliant. Do you have to get consent from every historical patient to keep their personal information on record? The answer is no. These patients freely gave their information to you because they needed your services. That is consent in itself. What you do need though is to inform them who you are going to share their information with amongst other things. Information that is in the public domain like telephone numbers and email addresses on social media pages does not fall under the category of personal information. Have you started your POPI implementation yet? Time is running out. Get the EasyPOPI DIY toolkit today!

POPI act comes into effect on 1 July 2021, or does it?

We often get asked if the POPI act will really come into effect on the 1st of July. If we had to bet on it our answer will be yes. Here are some of our reasons. Firstly, because the information regulator said so. Secondly because it has been coming for 8 years and they gave South Africa another year to get ready when they announced the go live date which is the 1st of July 2021. Another compelling reason is the amount of jobs the information regulator is advertising on their website. 44 to be exact. You might think this is a low number but consider it compared against the BEE commission that is run by a staff of 8. If you don’t think this shows intent, you need to think again. Lastly consider the portal where you have to register your nominated information officer. It is now open for registration but so overwhelmed by traffic that they are experiencing glitches. The number of businesses that have started their POPI compliance journey is plain to see. If you are still confused and uncertain whether you need to start implementing the POPI act, don’t be. Don't worry about where to start. Like any project it is best to just start doing something. With the EasyPOPI DIY toolkit you can’t lose. Here’s why. It’s easy to use and understand. We have added short tutorial videos to the solution. But even after you have done your self-scoring gap analysis and you didn’t quite get there, at least you have taken lots of consulting hours out of the equation. You might be left with one or two things to fix rather than stare the total project square in the eye. Also, managing the POPI act is a risk managing exercise. The more elements of the act that you get right, the less your chances are of transgressing the law. If your mind is still stuck in the silver bullet, one button, file one document mode you will be paralysed with buyer’s remorse and fear. Remember, POPI compliance is a continuous process and not an event. Start with something chewable and work your way up if its needed. Besides, it is the most affordable POPI solution in the market right now at a once off R1999. Like taxes, you didn’t hire the most expensive tax consultant straight away but rather up-skilled yourself on efiling first until you needed a more complex solution. Buy it now and get some extra sleep at night.

Breach management

The Information Regulator is very aware that breaches do happen and understands that there won’t still be hackers around if it didn’t. Criminals will always be with us. It is up to you and your company though to ensure that you have been reasonable in protecting your personal information. That being said, let’s say the day arrives when a breach does occur. What are you to do? Firstly, you need to have a robust plan of action, documented well in advance, so that you are ready for the procedure when it occurs. All related parties to the incident will assist one another to attend to a breach as soon as possible with maximum allowed force. When an incident occurs, the incident, in compliance with the POPI Act should not be discussed with anyone but the employee’s direct manager. Managers may only discuss incidents with the CEO who may only discuss the matter with the board of directors, whereafter the board will direct the CEO. Once a breach is confirmed, the CEO will communicate, as prescribed by the POPI Act, with the affected data subject, the Regulator and those who may be influenced by the breach. The information officer must document the following. All risks, incidents, and threats and all responses to the latter. Details of the breach, i.e. time, place, format of data, size of breach, reasons and possible consequences should be recorded. An action plan to remedy the breach with the roles and responsibilities of all parties related to the matter should be implemented. Your Company should have forms and written procedures for all steps related to the stages of breach. The consequences of a breach could be catastrophic to your business if not managed immediately after it occurs. If you have a very data heavy organization, you can imagine that notifying all affected parties will be a gigantic task. That’s why you need cloud software that does this task automatically. Start your POPI Compliance journey today and be ready for that unfortunate day.

The cornerstone of the POPI Act

Businesses are very much still in discovery mode when it comes to the POPI Act and its implementation. It is still a big concern how many executives palm it off to the hardest working secretary or HR person, left all alone to make sense of what to do. Searching the internet for the easiest, fastest, most effective way to get compliant, this individual has their work cut out for them. The POPI compliance journey is not an event but rather a continuous, lifelong process that is going to have to be embraced by all the data processors (employees that process data) of your company.

The cornerstone of POPI ACT compliance is to understand what personal data you keep. Creating a spreadsheet of all your data subjects and managing it continuously is the name of the game. Anything personal linked to a person like names, ID numbers, addresses and biometric data are what you are looking for. If you run an accounting firm you keep bank account details, TAX numbers and a whole lot more. Then you need to list the channels through which the information was collected. These could be things like paper, portals or people. Then you need to list the reasons why you are collecting the data. These could be things like invoicing, marketing and accounting. Now you need to list the internal and external data processors that collect that data and where and how it is stored. These include notebooks, cupboards, drawers, servers, phones etc. Now you need to list the people that have access to this information and match it with the reasons you collected it in the first place. If some employees don’t need to access certain information, remove it. Now the difficult part. Getting proof that each data subject gave you permission to keep and process their data. Trying to backdate this is going to be hard but once you draw a line in the sand and start following the process this burden becomes lighter. These permissions must be obtained through clauses, granting permission, in your take on contracts. A major change in the way we must get consent is moving from opt out to opt in. No longer can you just use personal data and give the data subject the option to unsubscribe, but you must get them to buy into your reason for holding their information. We will develop this concept and what it means for marketers next week. This reason must be a mutually agreed need and interest from both parties.

Before you lose heart, know that EasyPOPI’s team will help you through this process without breaking a sweat. Also, this exercise can be a hugely fruitful endeavor as some business owners will look at this for the first time ever. You will be surprised how you can improve your sales by understanding your data. Secondly, you can minimize your risk of getting fined by deleting and destroying data that you don’t need anymore. Golden rule is, the less data you keep, the better. Download the EasyPOPI DIY toolkit or ask us about doing everything for you today. The deadline is only 57 days away!

The biggest risk to POPI compliance

With the POPI compliance deadline now 64 days away, South African businesses are getting ready for compliance. This will be a journey. Definition: an act of travelling from one place to another. With the emphasis on travelling, which implies taking some time. POPI compliance is not an event. Definition: a single occurrence of a process. Why is this important? Because your employees, the data processors, are the ones that are going to live POPI, every day, for the rest of your business’s existence. Let that sink in. You must get them on the train. They have to understand it, buy into it and take it seriously. Not only are the data processors accountable for the lawful processing of personal information but they are also your biggest risk. You can have iron bar cyber security, the best processes in the world and the most knowledgeable information officer but if Susan, the receptionist, decides one day to hand your customer base to her cousin to sell milk tarts to them, you have a big problem. A R10mil problem, or an orange onesie problem. It is of utmost importance to continuously remind employees of the consequences of data breaches and leaks. Gone are the days of dumping un-shredded hard copies into the dustbin and sending emails without checking the recipients carefully. Did you know sending an email to the wrong recipient can earn you a R1.2mil fine? We find it helpful to communicate sections of the POPI act in plain language on a weekly basis and making it fun for your staff. Make it fun. We all know what Rocky-like exercise we put ourselves through to earn a Discovery smoothie. The concept of Gamification is the application of game-design elements and game principles in non-game contexts. Create some fun reward & recognition programs to keep your staff educated and committed to the cause. Start today by downloading the EasyPOPI DIY toolkit that now includes a visual office kit with 10 posters to create awareness.

The value of personal data

The 30 June POPI act compliance deadline is upon us and panic is setting in slowly but surely. Every day small businesses ask us what they must do to become compliant. Not only do they not know how to do it, but they do not understand that personal data is valuable. Consider the most valuable companies in the world like Facebook and Google. They are worth billions because they know everything about us. From the time you wake up, to the route you take to work, the music you want to listen to and what adverts will most likely catch your attention. These companies wouldn’t have been so valuable if your personal data wasn’t valuable. Personal data needs a mind shift and I find it extremely helpful to think of every personal data record as a Kruger Rand. You store, handle, manipulate them every day. Only problem is you are keeping those “coins” on behalf of someone else because they have trusted you with your products and services. How many coins does your business keep? A Hundred? A thousand? Tens of thousands? If personal data records really were gold coins, where would you keep them? How safe would you keep them considering that they are so valuable and that they are borrowed?

Let us take a hypothetical journey through an auditing process to illustrate the point. One day a POPI compliance inspector will arrive at reception much like the labour department when they request to see your employment equity plan. He enters with the mindset of…“a Kruger Rand thief”. He signs your Covid register and then asks to be taken on a tour of the business. Walking down the corridor he enters the first office. Susan the credit lady is in the kitchen making her 7th cup of coffee for the day. On her desk are 5 open customer files and her PC is unlocked. Kruger Rand thief takes a picture of the files and inserts his flash drive and saves your customer database on it. Immediate fail! Remember, compliance means 100% compliant. 99% will earn you a fine. Let’s imagine she locked her files in the filing cabinet and logged out of her PC. He enters the marketing department and asks Peter the sales rep to give him all the sent emails relating to sales and marketing for the last month. Next he wants you to provide every consent given by those data subjects that received the marketing email. He cannot produce it. So, Peter has borrowed someone else’s Kruger Rands without their permission. Fail!

The analogy above goes on and on. The biggest favour you can do your business is to start educating your employees with this mindset. Its practical and puts the entire law into perspective. Remember, your employees, because they are human, are your biggest risk. Check out our next topic where we will elaborate on the human factor.

In the meantime, just start your journey now! Our EasyPOPI DIY toolkit will put you on the fast track for less than a fancy dinner for two.