There’s been a lot of song and dance about it in the past couple weeks, as we were all flooded with generic notifications on our WhatsApp groups when the Protection of Personal Information Act (aka POPI Act) came into effect on 1 July 2021. So, what is all the fuss all about? What does this piece of legislation have to do with you, as an individual, and what do you need to know about how it updates South African data privacy law? Let’s start with some questions.
What exactly is the POPI Act?
POPIA is South Africa’s data privacy law and it stands for the Protection of Personal Information Act, 2013. This piece of legislation controls when and how organisations can collect, use, store, delete and handle our personal information.
What counts as “personal information” under the POPI Act?
Broadly speaking, information is personal when it can be used to personally identify a natural or juristic person. (Natural person like you, or juristic person, such as your business) This is information that relates to names, identity numbers, ages and addresses.
The POPI Act: What is the meaning of this privacy legislation?
The goal of the POPI Act is to protect data subjects (that’s you) from security breaches, theft, and discrimination. To get this right, the Act sets out eight principles that South African data processors (that’s any business) must follow. These principles set out guidelines for responsibility in data handling, security and data subject consent, while providing special protection for specific data categories, and information belonging to minor children.
The principles contained in the POPI Act include:
- Accountability: Businesses must ensure that the information processing guidelines are adhered to.
- Processing restriction: Information processing must be lawful, and personal information is permissible only where it is sufficient, relevant and within the scope of purpose for which it is processed.
- Specific purpose: Personal information should only be collected for specific, defined and legal purposes as necessary for the business to perform a service or activity.
- Transparency: The data subject must be made aware of certain things by the business that holds their data including what data the business holds, the name and address of the responsible party, the purpose for which data is collected and whether the information provided by the data subject is provided on a voluntary or mandatory basis.
- Additional processing restrictions: This governs the manner in which the data subject’s personal information is received and transferred to another responsible party for processing.
- Security measures: The business must safeguard the integrity of the personal information that is under its control by putting security and data management measures in place to prevent the loss of, damage to or unauthorised destruction of personal information.
- Data subject participation: According to the POPI Act, as a data subject you have the right to:
- Request details on the personal information that the business holds on you, without having to pay a fee
- Update or destroy personal information relating to you if it is incorrect, irrelevant, superfluous, misleading or unlawful; and
- destroy any record of your personal information if it is unnecessary for the business to keep.
What is the POPI Act, and what does it mean for SA business institutions and data processors?
The POPI Act is important because it is supposed to provide protection for data subjects (like you) from harm such as identity theft or discrimination. The risk for businesses that do not comply with the requirements of the POPI Act include repercussions such as reputational damage, fines and imprisonment, and paying out damages claims to data subjects who have had their rights infringed. The biggest risk, aside from immense reputational damage, is a hefty fine for failing to protect personal information, such as account numbers.
In essence, POPIA stipulates conditions that businesses must meet in order to ensure that their activities allow for the lawful processing of personal data of South Africans (both citizens and those living in South Africa). It also provides South Africans with rights regarding unsolicited electronic communications. (Finally!)
What does the POPI Act say about unsolicited direct marketing?
Does it mean an end to being bombarded by cold sales calls? Yes! According to POPI Act Compliance:
- Section 69 prohibits direct marketing through any form of electronic communication unless the data subject has provided consent.
- The definition of electronic communication encompasses email, SMS and automated calling services.
- A data subject may only be asked to consent to marketing communications once, and if it is refused, it is deemed thereafter to be permanently irrefutable.
However, the rules are a little different if the data subject is the company’s customer.
- Here, the customer’s information has been captured in the context of a transaction – the sale of a product or service, for example.
- It may be used for direct marketing that relates to the supplier’s own similar products or services, but the customer must be given the right to opt out at the time of data capture and each time they receive such a communication.
So what’s the big deal about the POPI Act? It’s just another data privacy law, right? Not exactly. POPIA differs from most privacy laws in several ways, but the biggest difference lies in the application of consent. POPIA does not require consent from data subjects before their data can be processed. Consent only needs to be obtained before processing special types of data or data belonging to children.
The POPI Act: who must comply with it?
The POPIA Act applies to everyone. Any person or organisation that keeps any record relating to the personal information of anyone, unless those records are subject to other laws that impose stricter protection on the information.
FinGlobal: trustworthy cross-border financial services provider
Choosing FinGlobal means choosing the peace of mind that comes from knowing that your money (and personal information) is safe in the hands of a cross-border financial services institution that is strictly regulated by the relevant authorities in South Africa.
FinGlobal’s credentials include:
- We are a Licensed Financial Services Provider (# 42872) with the South African Financial Sector Conduct Authority (FSCA). Click here for membership verification.
- We are fully accredited and registered with South Africa’s Financial Intelligence Centre (FIC).
- We are a Licensed Treasury Outsourced Company with the South African Reserve Bank (SARB).
- We run a SSL Security Certified website to provide for secure online connections to ensure your interactions with us are encrypted and remain completely private.
- Private information is stored on a CRM platform with ISO 27001, 27017 and 27018 certifications.
- We are a signatory to the Unashamedly Ethical Campaign.
Read more about who we are, what we do, and then get in touch with us to discuss your next transaction.