POPI Act: What happens when there is a breach?

THE Protection of Personal

Information (POPI)

Act puts the onus on

businesses to ensure personal

data, be it of clients or

employees, is protected.

Hogan Lovells partner,

Leishen Pillay told a recent

Global Business Travel

Association workshop:

“The obligations are to

ensure that you put steps

in place, and these are not

reasonable steps, these are

the steps required to prevent

unauthorised access to, loss

of or damage to personal

information. Now that is three

different steps that need to

be taken in terms of personal

information.”

As an example, he said

the hard-drive of a laptop

should be encrypted so that

no one could gain access

to the information stored on

the device in the event it was

stolen. “You can be fined for a

flash-drive going missing; you

can be fined for a cellphone

going missing or lost and,

or stolen.” He said any

device that stored personal

information applied.

Other Hogan Lovells partner,

Gareth Cremen, added: “In

terms of the workplace, POPI

very much applies to anything.

It applies to whether or not

you have an unsuccessful

applicant, or someone who

sends their CVs on a day-today

basis. The question is,

how should you store that

information?

“Gone are the days

when you keep information

indefinitely. We do it now

because the law does not

require you to delete that

information. Once POPI

comes through, every single

record that you keep, every

single record that you are

required to collect, you must

understand what the lawful

requirements are.”

Gareth said it would be a

breach of POPI if a business

kept an employee’s IRP5

form one day over the fiveyear

required period.

In 2018, when the Act

is due to be implemented,

companies will be required

to disclose lost personal

information. “The law

requires you to do two things.

The first is that you have to

report any loss, and I am

talking about a flash-drive,

a mobile phone, a laptop

or anything else that has

personal information to the

regulator,” said Leishen.

The information officer and

ceo who are responsible for

compliance and operations

would be looked at first. “The

second thing is that you are

going to have to notify every

consumer whose information

has been lost.”

Leishen explained that the

Act applied to everyone in the

chain dealing with personal

information. “But at the very

top of the chain is you as the

person who collected that

information.”

The consequences are

onerous, ranging from fines

of up to R10 million, prison

sentences and civil claims.