Businesses collect a vast quantity of information on their clients, both form their compliance with FICA (Financial Intelligence Centre Act No. 38 of 2001) and within the course and scope of their business activities. South African businesses have countless aspects of our law to uphold to be compliant within our jurisdiction. Currently one of the more pressing pieces of legislation is that of POPIA (Protection of Personal Information Act 4 of 2013). POPIA although enacted in 2013, has certain provisions which have been made effective on the 1st of July 2020. However, there is a grace period of one year that allows businesses to make the necessary arrangements and put systems in place to allow them to be compliant with the Act by the 1st of July 2021, which is when the grace period expires. Due to this, businesses need to ensure that they are fully compliant before then.
The Protection of Personal Information Act (POPIA) was enacted to give effect to section 14 of the Constitution of the Republic of South Africa Act 108 of 1996, the right to privacy. This means that the Act aims to facilitate access to information for both the private and public sectors while maintaining individuals’ right to privacy. The Act looks at the data retention policy of businesses and has put in place certain safeguards for the access, retention and decimation of information outlined by the Act.
The GDPR (General Data Protection Regulation), which applies to member states of the European Union and any business outside of Europe that transacts with a European based company will need to comply with the GDPR in order to continue that business relationship. The GDPR and POPIA although similar in aim, are not the same piece of legislation and compliance with the one does not result in automatic compliance with the other. However, businesses compliant with the GDPR are likely to have an advantage when attempting to comply with POPIA. Aside from these advantages with the GDPR, another advantage to be noted is that compliance with it opens avenues for business with European based companies, which satisfies the aim of all businesses, to generate revenue.
POPIA requires responsible parties to accurately identify individuals which whom they transact with. POPIA makes provision for three responsibilities of the information regulator. The first being that of providing education to data subjects, ministers and public or private bodies. The second being that of consultation with interested parties as well as handling disputes or complaints. The third responsibility is for research to be conducted and codes of conduct to be issued.
These are just the basic responsibilities of a business in compliance with POPIA. Actual compliance with the complete Act requires much more work and technical understanding of the Act.
Should you or your business require assistance in ensuring your compliance with POPIA or have more questions and concerns with compliance contact us and we will gladly assist.