“POPI” (the Protection of Personal Information Act) gives us important new protections against misuse of our “personal information” – widely defined to cover not just our names, identities and contact details, but also a wide spectrum of private information including things as diverse as race, religion, gender, sexual orientation, medical, financial and employment history etc. It even extends to information relating to our “personal opinions, views or preferences”, other people’s opinions about us, and private or confidential correspondence.
Businesses take note
You will be responsible for compliance with POPI’s stringent requirements in regard to the collection, usage, storage and disclosure of personal data, and you risk severe penalties (and substantial damages claims) for any contravention.
Your responsibility extends to virtually every kind of personal information obtained by or held by you, including for example information relating to your clients/customers, your suppliers, your employees, visitors, and so on.
The clock is ticking
POPI has been signed into law, but it hasn’t yet come into effect – that only happens when a “commencement” date is chosen and announced later. You will also have at least a year after commencement to comply, but the clock is ticking and there are requirements here that will mean embedding compliance procedures into all your business systems. In other words, you need to start now on identifying what personal data you hold, why and under what authority you hold it, and how secure it is.
We’ll let you have some practical advice on how to go about actually preparing for compliance in future newsletters, particularly once POPI commences, the Information Regulator is appointed, and the regulations are promulgated.