The Protection of Personal Information Act (POPI Act) is an essential piece of legislation enacted in South Africa, that outlines the regulations and processes for the collection, handling and use of personal information. It came into force on 1 July 2020 and seeks to regulate how data flows from one person or entity to another.
The POPI Act became a priority in South Africa after violations were reported with regards to large companies collecting customer’s information without their knowledge or consent.
The POPI Act seeks to balance the need for data protection with the rights of entities processing personal information by providing for eight conditions for lawful processing which are as follows:
1. Processing must be responsible;
2. Data must be relevant;
3. Data must be collected lawfully;
4. Data must be used for the specific purpose for which it was collected;
5. Data must be secure and protected;
6. Data must be accurate, up-to-date and complete;
7. Processing of data must be done in accordance with the individuals rights, as prescribed in the POPI Act; and
8. Personal information can only remain in existence for as long as necessary to fulfill the purpose for which it was collected or processed for further purposes compatible with that original purpose.
The POPI Act also provides South African citizens with certain rights including:
1. The right to know what personal information is being held about them by an organisation and to access a copy of that information;
2. The right to request the correction or deletion of inaccurate, out-of-date, incomplete or irrelevant personal information;
3. The right to object to direct marketing from companies;
4. The right to withdraw consent for any processing activities based on consent previously given (such as the sharing of data with third parties).
Violations of POPI Act may result in penalties ranging from fines up to 10 million Rand or imprisonment for up to 10 years. Organisations are also encouraged to self-regulate and ensure compliance with POPI Act’s regulations such as setting up internal processes and procedures for collecting, handling and using personal information.