POPI comes into effect on 1 July 2021 – What you need to know

Paul Bedford

Well-Known Member
Joined
Feb 26, 2014
Messages
282
The main thing anyone with a small business needs to consider is Chapter 3, Section 19 of POPIA, which states organisations must take appropriate measures to prevent '(a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information’.

Things you need to consider include:

Do you have a password to access your computer?
Who else has access to it (computer or password)?
Do you have backups?
Are they encrypted?
Do you store any client data outside of SA (think online invoicing systems)...?

Organisations can still be considered compliant even if they fall victim to a data breach, provided they can prove that they took every reasonable step to prevent such a breach.

Using password a password manager, making sure you have some form of anti-virus software, limiting access to personal information to those who need it to carry out their responsibilities are all things that can show you are taking reasonable steps to prevent a breach.
 
Joined
May 9, 2012
Messages
9,318
Jesus I need a drink after today, suddenly everyone is an online privacy expert.

And you, yes you, the client who is informed that the info I have is only on the copy of his invoice from an order 2 years ago that I have to keep for 5 years and then gets uppity and threatens legal action when I refuse to delete it. Well guess what, I know I said I deleted it but I really really didn't.

/rant
 

rietrot

Honorary Master
Joined
Aug 26, 2016
Messages
26,711
Jeez, I'm so confused, can anyone help please.

Smallish business with 200 account customers. Do we have to approach every customer to confirm their details and ask for permission to put their phone numbers on our website and do we have to do it now or has it been postponed?

It's simple to email every customer but the bulky POPI act is a nightmare and requests I've received are ridiculously loooooooooooooong.

Our lawyers sent a 46 page document :mad: :mad: :mad: I thought they'd provide a concise version but noooo.

Do you have a reason to have their numbers on your website?

Sounds like a business directory/listing type of thing and numbers that would be public info in any case.

Then no. You don't have to do anything.
 

garp

Executive Member
Joined
Aug 2, 2004
Messages
9,073
Jeez, I'm so confused, can anyone help please.

Smallish business with 200 account customers. Do we have to approach every customer to confirm their details and ask for permission to put their phone numbers on our website and do we have to do it now or has it been postponed?

It's simple to email every customer but the bulky POPI act is a nightmare and requests I've received are ridiculously loooooooooooooong.

Our lawyers sent a 46 page document :mad: :mad: :mad: I thought they'd provide a concise version but noooo.
Do you have their personal information? If not, then you don't have to do anything.

If you do, then if there is a breach or a complaint then you will need to be able to show that you have consent to hold the data, that you only have what is needed and for as long as you need it, and that you won't use it for any other purpose than intended, and that it is adequately secured. So, no you don't strictly need all this documentation up front, i.e. there is nothing illegal about not having it, but you will need to somehow demonstrate all of these things were in place if something goes wrong.

This is why the lawyers etc recommend you sign a data processing agreement with your clients and document your processes, personal data etc because then if there is a breach you can show that you took all reasonable measures, which will count for a lot more than just saying you did.

Obviously, this is also a matter of what is reasonable and proportional, which is where it becomes a grey area. Obviously, if all you have is a few client records with nothing more than name and email, then it's probably fine to show that you kept it securely where it was inaccessible without a password. But if you were, say, a GP with thousands of patients medical records on a management system, another story.
 

maumau

Honorary Master
Joined
Aug 13, 2009
Messages
18,047
Thank you so much @rietrot and @garp you've helped a huge amount, this is what our lawyer should have told us.

Appreciate the advice.
 

maumau

Honorary Master
Joined
Aug 13, 2009
Messages
18,047
Do you have a reason to have their numbers on your website?

Sounds like a business directory/listing type of thing and numbers that would be public info in any case.

Then no. You don't have to do anything.

Spot on :) we're wholesalers and the list is names, addresses, phone numbers of retailers selling our products.
 

TedLasso

Expert Member
Joined
Feb 23, 2016
Messages
2,472
You really don't need consent to process information (normal PI that is) . You can use the legitimate interests provision to process PI. Of course , perhaps your public facing privacy policy and PAIA manual should state this and what you do with it. If a data subject objects (delete my info) or requests correction , you must comply where reasonably possible.

That's how ours has been done. If our lawyers were wrong, then I go to jail. Hahah
 
Last edited:

rvZA

Executive Member
Joined
Jan 3, 2021
Messages
6,451
is POPI only happening in South Africa?

POPI Only applies to private people and businesses who process data in South Africa.

So, if you are a local company processing / storing data in South Africa, POPI Applies to you.

If you are a foreign company operating in South Africa, processing data in South Africa, POPI Applies to you.

If you are a foreign company with South African clients, but your data is held abroad and processed abroad, POPI does not apply to you.

Other countries do have their own similar laws. UK and EU has the GDPR and California in the US will soon have their own act.
 

Ryan Innes

Senior Member
Joined
Nov 30, 2011
Messages
641
Nope, only the deadline to register your Information Officer has been lifted due to the broken registration.

From what I understand, what was dropped until Feb 2022 was the requirement that you had to receive authorisation before processing sensitive data and data of minors. I gather they realised there is no way they could respond to the volume of authorisation requests. However, you still legally have to submit the application form. The only difference is that you needn't wait for approval.
Thanks for the feedback, I've downloaded the manual application but can't find an email address to submit it too unless I've missed something..
 

garp

Executive Member
Joined
Aug 2, 2004
Messages
9,073
No Europe has it's own version called GDPR which came into effect in 2018.
Fun fact, GDPR apparently based much of it's regulations on our draft POPI act which was considered world leading. Except we took so long to implement it that GDPR has been running for years already. I don't endorse any of it though - I agree with the intention but think it's way too much unnecessary regulatory burden.
 

rambo919

Honorary Master
Joined
Jul 30, 2008
Messages
17,887
I just realized something.... this means no one may ask for confirmation details over the phone from a call centre now?
 
Top