We’ve all seen a flurry of emails and WhatsApp messages from businesses informing us that our details are currently stored on their database, but what does the POPI Act mean for small to medium businesses, and how do they stay compliant?
Compliance with The Personal Protection of Information (POPI) Act became mandatory on 1 July 2021. This applies to all types of businesses that hold or process personal information, regardless of whether they are a sole proprietor, private company or close corporation and regardless of size.
The purpose of the Act is to ensure that businesses protect the information they hold and process in relation to an individual (referred to in the POPI Act as a data subject), and hold those businesses accountable for how they store or destroy that information.
A question we get asked is how do I know if I am compliant, and if I’m not, how do I become compliant? The POPI Act says that a business must be seen to have taken reasonable steps to ensure compliance with the Act. Here are the steps to follow:
- Personal Information must be collected with the consent of the individual. In the case of a minor or otherwise incapacitated person, the consent of the individuals legal guardian is required.
- The individual has a right to request access to all personal information stored or processed by a business, and the personal information must be disclosed to that individual upon request.
- All personal information relating to an individual that is processed must be processed in line with the purpose for which it was collected and that purpose must be clearly communicated to the individual.
- All persons processing personal information must be authorized by the responsible person within the business. All businesses must ensure that such authorized individuals within the organisation are aware of their obligations when processing such personal information.
- Should an individual’s personal information need to be processed for a purpose other than that for which it was collected, that individual’s consent is required.
All businesses processing personal information need to have an information officer registered with the Information Regulator.
- All personal information in the possession of a business must be secure and protected, both physically and across digital platforms.
- Reasonable measures taken, must be evidenced to prove compliance with the legislation, for the purposes of the Information Regulator.