The Protection of Personal Information Act 4, or POPIA for short, has commenced on the 1st of July 2021 after President Cyril Ramaphosa made a proclamation in 2020. As defined in the Act, every data controller across South Africa had one year to ensure that they are fully compliant and avoid strict penalties set out in the legislation.
Now, with the Act in full force, it’s critical to understand what it means for you and your business data. That’s why we’ve decided to break it down for you by answering five basic questions on how the POPI act will impact your big data.
#1 What Counts as Personal Information?
The primary purpose of the POPI Act is to keep personal information private while allowing organisations and businesses to conduct their operations. In essence, any information that a third party can use to identify a person is covered by the Act. It’s comprehensive and covers the following data and information:
- Criminal record
- Date of birth and age
- Education information
- Email addresses
- Employment history and salary
- Financial information
- Gender, race, and ethnic origin
- Identity or passport numbers
- Marital relationship status and family relations
- Memberships to organisations or unions
- Online or instant messaging identifiers
- Phone numbers
- Photos and video footage which includes CCTV footage, voice recordings, and biometric data
- Physical addresses
- Physical and mental health information
- Private correspondence
- Religious or philosophical beliefs
As defined by this law, a “person” doesn’t necessarily refer to your customers and clients but any human being. That includes every stakeholder, supplier, and employee that interacts with your business or organisation. Under the Act, your company or organisation is obligated to protect the personal information of all these individuals.
#2 Does the Act Apply to Me or My Business?
Yes. If your business or organisation is located within South Africa and requires acquiring personal information from customers or clients, it’s essential to note that the Act doesn’t have a “one size fits all” solution.
Every time you sign up for a newsletter, hire an attorney, visit a doctor, or buy a product online, you are obligated to provide some personal information. You might not be aware of it, but while you’re online, your data is being tracked and processed by companies that you’ve never heard of. Similarly, your business may be getting information from your users via sign-up and contact forms, calls, and even browser cookies set by your website.
The primary purpose of the POPI Act is to regulate how businesses process, store and use that personal information. It empowers users, giving them more control over what is being done with their data. Additionally, it protects them from abuse while also protecting your organisation from unnecessary risk of exposure.
#3 How Does POPI Affect the Information My Business Collects?
The Act aims to protect personal information by restricting how it’s collected and limiting how you may use that information. It holds all businesses and organisations accountable for the data they collect and how they secure and use it.
Additionally, the POPI Act also sets out purpose and processing limitations, which means that you can’t use your audience’s data in a way that violates their privacy rights. Instead, organisations may only use the info for a purpose of which the client is aware and expressly agreed to.
In essence, you can’t collect or use any person’s personal information without their permission and approval. The Act thus affects your audience analysis practices, marketing strategy, and sales tactics. For example, where buying a database of potential clients was once widely practised, it is now illegal under the Act unless every person on the list agreed for their information to be shared.
Additionally, the Act also affects how your company should consider data security. The Act clearly states that the responsible party must secure all personal information under their control. Should the business or organisation’s security safeguards fail, such as in the case of a data breach, you must notify clients that their info has been compromised.
#4 How Do You Maintain POPI Compliance?
There are eight conditions for the lawful processing of personal information by public and private entities outlined by the POPI Act. These conditions are the minimum requirements for a business or organisation to comply with the new legislation. They are:
Every public and private entity must comply with the act, and it is best practice to appoint someone to be responsible for your organisation’s data compliance.
Your business or organisation may only process the information it needs for a justifiable reason and the client or customer’s consent must be secured.
The processing of personal information should be done for lawful purposes related to your business’s function only, and the customer or client must be aware of this purpose.
Further Processing Limitation
Your business or organisation must prevent the processing of personal information in its custody for any other reason than the purpose to which the customer or client consented.
Your business or organisation is responsible for all personal information it holds and ensures that it’s accurate, up-to-date, and not misleading.
The customer or client is entitled to the details of the party responsible for their data (your business in this case).
Your business or organisation is responsible for identifying any foreseeable and reasonable risks that could threaten the integrity and security of personal information.
Data Subject Participation
The customer or client can ask for details regarding their personal information or request for its deletion at any time.
#5 What Are the Consequences If My Business Fails to Comply with the POPIA?
Should a business or organisation be the cause for a breach of a customer or client’s personal information, negligently or otherwise, they may complain to the Information Regulator. It’s critical to note that the Information Regulator doesn’t require a court order to issue a fine for noncompliance.
There are civil remedies available set out by the POPI Act to an aggrieved party which includes:
- Aggravated damages.
- Payment for damages as compensation for losses suffered because of a breach.
- Interest and costs on a scale as determined by a court of law.
Should criminal charges be brought against your business, and you are convicted, the penalty is severe. A conviction carries a prison sentence of up to 10 years or a fine with an undisclosed maximum. Additionally, the Information Regulator may charge additional administrative penalties up to R10 million.
What’s The Impact on Big Data?
With all the regulations highlighted above, does this mean that your big data is now useless? Not quite. In fact, the Act has a section that does, in a sense, provide for big data. In short, if you plan on using analytics to evaluate and analyse data for insights, you’ll need to liaise with the Information Regulator to get prior authorisation.
However, there are specific categories that are excluded from approval, laid out in Section 26. It prohibits the processing of special information, like:
- Religious beliefs.
- Race or ethnic origin.
- Trade union membership.
- Political persuasion.
- Health or intimacy.
- Biometric information.
- Criminal behaviour.
In short, the POPIA doesn’t stop the collection and use of big data. However, it does limit the information that businesses can collect, when they can collect it, and how it’s used. These restrictions are in place to protect the data from being misused while imposing new accountability standards on organisations.
The POPI Act isn’t the end of big data, but it’s going to impact how you can collect and use that precious information. With the regulations in place, many organisations are turning to professional infrastructure and data analysis agencies for assistance, and with good reason. Many of these companies already have the tools and permissions in place to continue working without interruptions, taking significant pressure from your business. At BOATech, we have all the tools required to help you analyse your big data while protecting your user information. It’ll be more important than ever to work within legal restrictions. However, with a thorough understanding of the act and working with a capable agency, you can still draw value from your big data.