Processing of Personal Information Act (POPI) now fully in force in SA

Following a delay in the commencement of the POPI Act due to the COVID-19 Pandemic, the Act came fully into effect on 1 July. All South African organisations must now be POPI compliant.

So what is POPI?
POPI refers to the Processing of Personal Information Act and is an important milestone in South Africa for the right to privacy and data protection against security breaches, discrimination and theft.

We summarise below the key aspects of Act along with a comparison with the General Data Protection Regulations (GDPR) which apply across the EU, and actions required to ensure that your organisation is POPI compliant:

Main points of the Act:

  • Accountability
    • All personal information must be processed lawfully and in a reasonable manner that does not infringe on the subject’s privacy.
  • Processing Limitation
    • Personal information may only be processed when necessary for the purpose given and must be relevant and not excessive.
    • Personal information may only be processed in particular circumstances (outlined in the act).
    • Proof of consent must be acquired.
    • Consent can be withdrawn.
    • Personal information must be collected directly from the data subject (exemptions apply).
  • Purpose specification
    • Personal information may only be collected for a specific, explicitly defined and lawful purpose related to the function or activity of the user.
    • The subject must be aware of the purpose of the collection of information.
    • Records of personal information may only be retained for the period necessary to achieve the purpose for which the information was collected (exemptions apply).
    • After this period, records must be destroyed or deleted as soon as reasonably practical.
  • Further processing limitation
    • Further processing of personal information is only permitted if related to the purpose for which the information was originally collected.
  • Information quality
    • User must ensure personal information is complete, accurate, not misleading and updated when necessary
  • Openness
    • Documentation of all processing operations must be maintained.
    • When personal information is being processed, the data subject must be notified. They must be made aware of:
      • The information being collected
      • Source of the information, if not collected from the data subject
      • Name and address of the responsible party
      • The purpose for which the information is collected
      • Whether mandatory or voluntary
      • Consequences of failure to provide information
      • Any applicable laws authorising or requiring the collection of information
      • Any intention to transfer information to a third party
      • Any other specific information is necessary to enable processing of the data.
    • Individual must be made aware of the above in advance of collection information (exemptions apply)
  • Security safeguards
    • Responsibility to secure the integrity and confidentiality of personal information.
    • Take appropriate measures to prevent the loss of, damage to, unauthorised destruction of or unlawful access to or processing of personal information.
    • Identify security risks and implement safeguards, with regular updates.
    • Safeguards must also be established with any third party operator.
    • Notification and details of Security compromises must be made to the Regulator and the affected party
  • Data subject participation
    • The data subject has the right to know what personal information, if any, is held
    • The data subject may request that data held to be corrected, deleted or destroyed.
  • Processing of special personal information
    • Personal information relating to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information or criminal behaviour cannot be processed (exemptions apply)
  • Processing of personal information of children
    • Processing of information of children may only be authorised in limited circumstances.
  • Exemptions
    • The Regulator may exempt processing of personal information in limited circumstances
  • Information Regulator and Information Officers
    • Under the Act, the Information Regulator, Enforcement Committee will be established
    • Information Officers (and deputies, where applicable) will be appointed by public and private bodies.
    • Duties, power and responsibilities of the above offices are outlined in the Act.
  • Prior Authorisation
    • Prior Authorisation for processing information must be sought from the Regulator if the data will be used to:
      • Process unique identifiers of the data subject, for a purpose other than originally intended at the collection, with the aim of linking the information processed by third parties
      • Process information on criminal behaviour
      • Process information for credit reporting
      • Transfer of special personal information or personal information of children to the third party in a foreign country that does not provide an appropriate level of protection for processing such information.
  • Codes of conduct
    • Codes of conduct may be issued by the Regulator
  • Direct Marketing
    • Processing personal information for the purposes of direct marketing by any form of electronic communication (including automatic calling machines, fax machines, SMS or email) is prohibited unless
  1. the data subject has given consent or
  2. is a customer, and
    1. Contact details were obtained in the context of the sale of a product or service
    2. For the purposes of direct marketing of similar product or service
    3. The customer was given a reasonable opportunity to object to the same.
    4. Consent may only be sought once
    5. Any direct marketing communication must contain details to identify the sender and contact details to which recipient may send a request to cease such communication.
  • Transborder Information Flows
    • A transfer of personal information to a third party in a foreign country may only take place if the third party is subject to law, binding corporate rules or binding corporate agreement uphold principles similar to this Act.
    • Any transfer must be necessary, with the consent of the subject and for the benefit of the subject.
  • As of 11 April 2014, Section 1 (Definitions), Part A of Chapter 5  (Establishment etc of the regulator) and sections 112 (Regulations) and 113  (Procedure for making regulations) came into operation, with the remainder delayed until 1 July 2020.

How is POPI different to GDPR?:

  • The main principles of GDPR and POPI are similar, so if you are GDPR compliant you are largely POPI compliant already, however, the main differences lie in the following areas:
    • Exemptions
      • GDPR provides exemptions for some SMEs, however, the POPI Act does not.
    • Legal Entities
      • GDPR does not protect legal entities, whereas the POPI Act relates to not only an individual person but any legal entity.
    • Information Officer
      • POPI requires that every organisation appoint an Information Officer. An Information Officer of a public body means an information officer or deputy information office and in a private body means the head of a private body (section 1, of the Promotion of Access to Information Act)
    • Security
      • Principles regarding security vary slightly.  Unlike GDPR, the POPI Act holds all personal data types as equal in terms of risk and importance:
        • GDPR states that “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected”, whereas
        • POPI states that “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures”.
    • Penalties
      • Under POPI administrative fines should not exceed R10 million (STG465K), and/or maximum imprisonment of 10 years, as compared to a maximum fine of STG17.5m or 4% of annual turnover (whichever is higher) under GDPR in the UK. (GDPR penalties vary between States)
    • Jurisdiction
      • The POPI Act applies to South African businesses in South Africa only.
      • South African businesses that store data, or use third-party organisations to process that data in a foreign country must ensure that that country is subject to law, binding corporate rules or binding corporate agreement uphold principles similar to POPI.
      • GDPR applies individual EU citizens’ data and therefore includes all business outside of the EU that do business within the EU or with EU citizens.

What action does my business need to take?:

  • Appoint Information Officer
  • Training for management and employees
  • Review current practices and GDPR compliant documents and policies and compare with POPI law
  • Establish a clear pathway of compliant procedures for processing all personal information
  • Identify security risks and implement appropriate safeguards
  • Create and Implement relevant documents and instruments for processing personal information e.g. privacy policies, update contracts, breach policies consent forms.
  • Ensure retention of relevant documents
  • Regularly reassess security, changes to legislation, employee training etc

Personal Information

  • Personal information relates to not only an individual person but any legal entity. A data subject in the Act is defined as any party to whom the personal information relates.
  • Personal Information includes information on race, gender, sex, pregnancy, marital status; national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, date of birth; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, e-mail address, physical address, telephone number, including mobile phone number, location information, online identifier, passport number or other particular assignment to the person, the biometric information of the person;  the personal opinions, views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the person; and the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person; membership to organisations/unions; photos, voice recordings, video footage (also CCTV).
Principle purpose test

How can we help?

How you structure your business is a critical question as you expand globally.  The right structure will protect your assets, improve your currency position, support your business operations, facilitate future business expansion and changes, and optimise your overall tax rate. Trying to unscramble a sub-optimal structure entered into in haste or without full consideration of relevant facts is complex and expensive, so it’s important to plan upfront.

Structuring an international business is both a science and an art – this is our specialist area of expertise. Regan van Rooy is an international tax and structuring advisory firm focussing on Africa. We have offices in South Africa, Mauritius and Ireland and we can help you with any international tax or structuring query.