Protection of Personal Information Act (POPI)
 
The South African legislative environment is constantly changing - often before business has become completely comfortable with its obligations under the preceding legislation; a challenge for any company director.
It was no different when the Protection of Personal Information Act (POPI) was enacted in November 2013. Much fanfare was made in the press about the Act, but most especially about the “radical” changes that business is expected to adopt in order to be compliant. Almost every comment made noise about the fines that would be imposed if businesses failed to comply with its provisions. But how much of this is hype?
The facts
• POPI applies to every private and public body (referred to collectively in this article as ‘companies’) , giving specific rights to natural and juristic persons in the way that their personal information is handled.
• POPI will require changes to the way in which companies conduct themselves, possibly extensively
and almost certainly differing from one company to the next depending on the nature of their business
in terms of the use and processing of personal information. POPI does provide for significant fines and criminal sanctions on companies, directors and other employees who fail to comply with its provisions. The effective date for POPI has not yet been determined - save for the provisions relating to the establishment of the Information Regulator which became effective in April this year .
Now is the time for business to be getting POPI ready.  We suggest that a good understanding of the POPI act, is necessary to prepare companies.
POPI: a snapshot
1. Be aware that POPI will be applied broadly to a wide range of situations and will require an explicit
considered assessment on a case-by-case basis
2. Processing of any personal information must be lawful in terms of the eight conditions set out in the
Act, generally requiring prior consent (that may be withdrawn at any time) and considered in terms of
the purpose for processing
3. Companies must identify a defined purpose to collect information and the ‘data subject’ must be
made aware of this purpose
4. Further processing of personal information (ie, beyond the original purpose) needs additional  consent
5. Data subjects have a right to be informed about what information is collected and who has access to that information
6. Data subjects have the right to object to processing and are entitled to request access to, as well as the correction and removal of their personal information
7. Responsible parties remain responsible, even where the information is transferred to another party for processing on their behalf
8. All personal information must be complete, accurate and kept up to-date
9. Companies must have a retention and destruction policy. Personal information cannot be kept any
longer than is necessary to achieve the original purpose for which it was collected
10. Companies need to take specific security measures to maintain the confidentiality and integrity of the personal information, regularly monitoring and updating these, and notifying the information regulator and data subject of any breaches. Clearly, there are many facets of a business that POPI touches on and, at first glance, may appear overwhelming to deal with at once. It is therefore key for any business to have a clear strategy which ties into existing, industry-specific legislation which already covers data protection to some extent.
 
Nikki Pennel
Nikki Pennel is a senior manager in the Corporate Law Advisory Practice at KPMG, and focuses on data protection and the impact of POPI on business.
+27 (0)82 719 5916
nikki.pennel@kpmg.co.za