Some provisions of the Protection of Personal Information (PoPI) Act commenced on July 1, and the remaining provisions are to be addressed once the Information Regulator assumes its powers.
The sections that have commenced include the conditions for processing personal information, procedures for dealing with complaints, and provisions regulating direct marketing by means of unsolicited electronic communication.
During an EngineerIT panel discussion, Dr Danie Strachan, attorney at Adams & Adams, said: “Many think PoPI will make their information super secure now, which is not the case. I think what it will do is place a proper responsibility on businesses to make sure that, when they process personal information, they do so carefully, based on certain principles, so that information won’t end up in the wrong hands. Regulators across the board realised that information ends up in criminal hands because organisations don’t treat that info properly.”
Bridgette Vermaak, head of IT asset disposal at Xperien, said one in every four people had experienced a data breach, and businesses needed to know how to be compliant. “Firstly, do an assessment of how you are generating that data, why you need it, how you’re storing it, securing it, and then destroying it. Each organisation should invite in a third party just to get their legal perspective to ensure that they are following the right processes around PoPI legislation.”
Wendy Tembedza, senior associate at Webber Wentzel, said the starting place for small to medium-sized businesses was to have a champion of PoPI. “I think that would be in the form of the information officer. But it is important that the business understands that, even if you have an information officer, everyone needs to get on board with the compliance programme.”
On the provisions regulating direct marketing by means of unsolicited electronic communication, Wendy said there would now be restrictions on how you contacted individuals. The individual would need to be an existing customer, or would need to have given their consent to that marketing. “Even in the context of an existing customer, you would need to give them the opportunity to opt out of that communication going forward,” Wendy said.