Companies only have a few months left to comply with the Protection of Personal Information Act No 4 (POPIA) of 2013 as the one-year grace period will come to an end on 30 June 2021. This is after the President proclaimed 1 July 2020 as the official commencement date. 

The Act is considered to be South Africa’s answer to the European Union’s General Data Protection Regulation (GDPR) and carries out section 14 of the Constitution that gives everyone the right to privacy. 

In an article with It Web, Francis Cronje, an information governance specialist and contributor to the POPIA Act, said, “the purpose of the law is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise personal information in any way.”

What does this mean for South African businesses and how will they be affected? 

The Act applies to any person, organisation, private- or public body who processes or keeps personal information of anyone – unless those records are subject to other legislation that protect such information more rigorously. POPIA thus does not only apply to large companies that process information, but also small businesses. “Personal information” is defined as any – or a combination of information that might identify an individual or juristic person. This includes a person’s: ID number, email address, physical address, company registration number, demographic information, personal history, contact details, and communication records. 

As the Act regulates how personal information should be handled – from the moment it is collected until it is destroyed – the rules around how businesses handle client information has become stricter. Businesses will thus be required to get consent from individuals before they retain, obtain or process personal information for communication purposes. In the case where businesses fail to safeguard subjects’ personal information, they need to notify the data subject that their information has been compromised. 

As a result, the personal information of individuals and juristic entities is protected, which prevents information from being exposed that might lead to identity theft, financial fraud, damage as well as the misuse and abuse of personal information.              

With only a few months left to comply with the POPIA Act, businesses need to ensure that they have made necessary changes and planning as the POPIA is not going to change. According to Cronje, businesses who fail to comply with the Act will face severe consequences – whether it be intentional or not. Depending on the seriousness of the violation, businesses will be fined up to R10 million or receive a jail sentence of up to 10 years. 

“Failure to comply with certain provisions of POPIA may result in the Information Regulator (IR) imposing an administrative penalty of up to R10 million as of 1 July 2021 or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment”, the regulator said this week in an article by Business Insider South Africa.

The aggrieved party is also allowed to lodge a complaint with the IR if the responsible party fails to comply with POPIA and if the responsible party causes the breach due to negligence or otherwise. Furthermore, the Act sets out civil remedies to an aggrieved party, such as: payment for damages as compensation for losses suffered, interests, and costs that are determined by the court.  

Although complying with the Act might seem like an extra burden, Alison Treadaway, Managing Director at customer communication management specialist Straita, believes that the Act will be beneficial for South African businesses. In an interview with It Web, she said that the Act brings South Africa’s data protection laws in line with other countries which means that South Africa is more appealing and a less risky business target, promoting accountability and transparency in data use.  

“Personally, I see this Act motivating good practice and achieving the required level of data protection, which will open up opportunities for South African businesses,” Treadaway said.