In July 2020, the South African Parliament enacted POPIA. It is the nation’s latest and most prominent data privacy law governing the personal data of South Africans. With a series of new data privacy laws coming into effect worldwide – such as the GDPR and the CCPA – this marks the latest addition, enhancing South African regulations to reflect new global norms.
All organizations operating in South Africa must be knowledgeable about and compliant with the new standards. Otherwise, they risk incurring significant penalties and consequences.
What is POPIA?
POPIA, or Protection of Personal Information Act, was first passed in 2013. However, after seven years in legal limbo, the Act finally came into effect in July 2020, with a one-year grace period to help compliance. Even worse, POPIA was first drafted back in 2003 and went through numerous iterations.
In its present form, the law aims to give South African citizens’ rights over their personal data, including the right to correct, access, and delete any personal information an organization may possess.
Moreover, organizations do not need to be located inside South Africa for the law to be applicable. Indeed, like the GDPR, any organization possessing South African citizens’ personal data must be compliant with POPIA.
What are the rights of data subjects under POPIA?
Like other data privacy laws, POPIA enshrines certain inalienable rights to data subjects. These guarantee greater control of personal data collection, use, and disclosure to individuals and ensure greater transparency from organizations.
According to Chapter 2(5), POPIA includes the right (important statements highlighted in bold):
- to be notified that—
1. personal information about him, her or it is being collected as provided for in terms of section 18; or
2. his, her or its personal information has been accessed or acquired by an unauthorized person as provided for in terms of section 22;
- to establish whether a responsible party holds personal information of that Data subject and to request access to his, her or its personal information as provided for in terms of section 23;
- to request, where necessary, the correction, destruction or deletion of his, her or its personal information as provided for in terms of section 24;
- to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information as provided for in terms of section 11(3)(a);
- to object to the processing of his, her or its personal information—
1. at any time for purposes of direct marketing in terms of section 11(3)(b); or
2. in terms of section 69(3)(c);
- not to have his, her or its personal information processed for purposes of direct marketing by means of unsolicited electronic communications except as referred to in section 69(1);
- not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its personal information intended to provide a profile of such person as provided for in terms of section 71;
- to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information of any Data subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator as provided for in terms of section 74; and
- to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information as provided for in section 99.
In short, the Act guarantees a data subject the right to meaningful consent of the collection, use, or access of their data. They may also request the destruction or correction of their data. And, in circumstances where their rights are infringed, they have the right to raise a complaint and sue the organization in question.
What is considered personal data under POPIA?
Most data privacy laws have taken a broad stance when defining personal data. POPIA is no different. Here, it includes “any kind of information relating to an identifiable, living natural person, company, or similar legal entity.”
– Names, addresses, email, or phone numbers
– Identity markers: gender, age, ethnicity, sexual orientation, political beliefs, etc.
– Health data
– Online identifiers: cookies, IP addresses, browser history, location data, etc.
Penalties and enforcement under POPIA
Under the GDPR, the financial penalties incurred can be substantial. POPIA includes lower financial penalties but does set out the possibility of imprisonment or sanctions for guilty parties.
Offences and non-compliance are the responsibility of the Information Regulator, and it is they who administers monetary and criminal penalties.
Section 109 states that the maximum fine for infringement is ZAR 10 million (approx. €490,000). Meanwhile, section 107 states that certain violations can result in a prison sentence of up to 10 years.
All complaints from data subjects must first be submitted to the Regulator, who is then charged with investigating the case. Then, the Regulator must decide whether to proceed with the action or desist from further penalties.
Following POPIA finally coming into effect, an organization operating in South Africa must ensure their compliance. Thankfully, those who are already GDPR-compliant will find little difference between the two acts. Indeed, the GDPRs eight conditions for lawful data processing are mirrored in POPIA.
In short, to guarantee you are in accordance with POPIA:
- Always ask for informed, meaningful consent.
- Provide an option for consent to be rescinded at any time.
- Keep data subjects informed of any changes to data processing.
- Only process data as per the stated conditions and the data subject’s rights.
Follow these four simple steps, and you’ll be most of the way towards complete POPIA-compliance. For further information on the Act, please refer to the original legislation here.