The Protection of Personal Information Act was promulgated in 2013 and, for a long time, it was unclear when it would come into force. Now, the Act has become effective as of 1 July 2020. But what does this mean for you, and how will it change the status quo?
First, it is important to note that even though the Act is in effect, its enforcement is delayed by one year under section 114 of the Act. This means that all persons and businesses have until the 30th June 2021 to become compliant. After that, the Act will be enforced by the Information Regulator, which may issue fines of up to R10 Million and imprisonment of up to 10 Years, depending on the severity of the offence.
The first thing that POPI will change is the free sharing of personal information. This means that individuals and companies can no longer share information about you without your consent. The second thing it does, broadly, is give you back control over your personal information held by others.
To achieve the above, POPI gives everyone certain rights. These rights are, broadly: The right to know if a person is holding your personal information, the right to request a record of that information, the right to correct that information, the right to have that information deleted (sometimes called “The right to be forgotten”), the right to stop the person in question from further processing your personal information and the right not to have decisions made about you based solely on automated processing (the use of algorithms and machines). All of these rights are contained in Section 5.
Of all of these rights, probably the most important one for many is the “right to be forgotten”. If a person or company is holding on to your information past the point where they are allowed to (say, a service provider is holding information on you long after you have cancelled your contract with them), then you have the right to contact them and request them to erase all information they have in respect of you. Bear in mind, however that certain laws such as the Financial Intelligence Centre Act require companies and persons to hold your information for a certain period of time for records purposes. This right is, nevertheless probably the most powerful right under POPI.
In addition to these rights above, there are further protections put in place that are not strictly “rights”. For instance, putting security measures in place to protect and safeguard personal information is now mandatory under section 19 to 22. If a data breach occurs, the company in question may be fined by the Regulator and will be forced to make a public disclosure of the breach, which could cause massive reputational damage for the company. The incentive is thus for organizations processing personal information to make sure their data is kept as secure as reasonably possible.
The Act further restricts direct marketing, or what many of us may think of as Spam calls, SMS’s and emails. Now, under section 69 of the Act, direct marketers only get one chance to contact you to obtain your permission to keep contacting you. If you refuse during this contact, then that person or company is obliged never to contact you again to market their services to you. If they do, they are in breach of POPI and you may file a complaint at the Regulator. It should also now be almost impossible for less scrupulous direct marketing agencies to purchase and sell your data on to others, meaning an end to receiving marketing from services you have never heard of or dealt with.
The biggest change POPI will bring about for the consumer is giving them back control over their personal information. Whereas previously the consumer was at the mercy of the company handling their information, they now have a powerful set of rights they can enforce against those dealing with their personal information. It won’t change poor data management practices overnight and many firms may likely remain non-compliant for a while still, but it is a good start to changing South Africa’s poor data-protection culture and bringing us in line with International norms.
Sean is a candidate attorney at the Sandton branch of NGL Attorneys.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)