The article written by Lucien Pierce of Phukubje Pierce Masithela Attorneys of Johannesburg was used as input for this summary. It can be found here.
The PoPI Act was signed into law in November 2013. However, PoPI isn’t effective yet. The president still has to decide on the commencement date.
Not only do we need to wait for a commencement date, but PoPI also allows an additional year from the commencement date for you to comply with its requirements.
PoPI essentially regulates how anyone who processes personal information of individuals and corporates must handle, keep and secure that information.
PoPI has substantial penalties if you do not comply. Anyone who contravenes PoPI’s provisions faces possible prison terms and fines of up to R10-million. It also allows individuals to institute civil claims so there’s the possibility of further financial loss on top of any fine that may be imposed.
Here are several practical tips you need to attend to in order to become compliant:
- You should read the Act. It’s not a highly technical piece of legislation. It is long, so if you have time constraints focus on chapter three. It sets out eight conditions for the lawful processing of personal information.
- Give some thought to the type of personal information you process and how your processing complies with the eight conditions in chapter three. A spaza shop and a huge medical aid scheme could both possibly process personal information but the sensitivity of the information and what Popi would expect of each would be very different.
- Consider whether your organisation’s operations warrant information security awareness training for your staff. For example, your staff would need to be trained on the simple confidence tricks, such as a phone call to an unwitting staff member, that are often used to access personal information.
- Train your staff on laptop, data storage and mobile device security. Put procedures in place to limit who can access certain information on those devices and your organisation’s computer system.
- Ensure that laptops and other mobile devices have passwords and similar security and are preferably encrypted. Try to implement systems and software that allow lost devices to be remotely “wiped clean”. An unencrypted back-up disk that Zurich Insurance lost in South Africa cost it a fine of £2.3-million. You should draft policies dealing with each of these issues and educate your staff on them.
- Look at the physical security of the premises where you store the personal information that you process. Do you have reasonable security measures in place such as access control, burglar bars, CCTV and alarm systems? Assess these physical security measures in the light of the type of personal information you process (remember: spaza shop versus medical scheme).
- Assess whether any service providers who process information on your behalf, have considered and implemented each of the five points above. Put proper contracts in place that compel your service providers to give you assurances that they will also comply with Popi.
- Given the potential for huge financial losses, consider whether your organisation would be justified in securing cyber insurance. Your current “generic” insurance policy is not likely to cover losses arising out of a data breach by your organisation.
Numerous articles dealing with the PoPI Act have appeared over the past few years. Here are some of them: