Information Technology Law / Cyberlaw

11 POPIA Questions to Ask Yourself Before 30 June 2021

Written by Nicole Ross Attorneys on May 27, 2021. Posted in Business, Information Technology Law / Cyberlaw, Property.

Note: This is a complex topic and there is no substitute for tailored professional advice. What is set out below is of necessity no more than a simplified summary of some practical highlights.

You and your business are at substantial risk if you aren’t fully compliant with POPIA (the Protection of Personal Information Act) on 1 July 2021.

The clock is ticking! Have a look at the Information Regulator’s Countdown Clock here to see exactly how many days (and hours, minutes, and seconds!) you have left.

Be ready! Be compliant! Ask yourself these eleven questions –

Does POPIA really apply to us?
As soon as you in any way “process” (collect, use, manage, store, share, destroy and the like) any personal information relating to a “data subject” (suppliers, customers, members, employees and so on – whether individuals or “juristic persons” such as corporates and the like), you are a “responsible party”.The formal definition of a responsible party is “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information” – very few businesses and organisations will fall outside that net. Equally you are unlikely to fall under exemptions such as that applying to information processed “in the course of a purely personal or household activity”.But don’t panic –. compliance is easily attainable for most businesses, particularly if you are a smaller operation with little in the way of sensitive personal information. Answer the questions below to get a feel for areas you need to concentrate on now.
What risks do we run if we don’t comply with POPIA?
If a data subject suffers any loss as a result of your breach of POPIA, the subject (or the Regulator at the request of the subject) can sue you for damages and you will be liable even if your breach was unintentional and not negligent. You also face criminal prosecution, penalties and administrative fines for some breaches.
Have we registered our Information Officer/s?
You must register your Information Officer (“IO”) with the Information Regulator – go to the Regulator’s Online Portal for the online and PDF versions of the registration form, plus the email address for support enquiries and a link to the Search page. The IO is responsible (and liable) for all compliance duties, working with the Regulator, establishing procedures, and the like. You are automatically your business’ IO if you are its “Head” i.e., a sole trader, any partner in a partnership, or (in respect of a “juristic person” such as a company) the CEO, MD or “equivalent officer”. You can “duly authorise” another person in the business (management level or above) to act as IO and you can designate one or more employees (again management level or above) as “Deputy Information Officers”.
Do we have a list of all personal information we hold, and how and why we hold it?
Make a full list of all the personal information you hold/process, whether physically or in electronic form. Then evaluate it against the test that, to collect and “process” personal information lawfully, you need to be able to show that you are acting safely, lawfully, and reasonably in a manner that doesn’t infringe the data subject’s privacy.You must show that “given the purpose for which it is processed, it is adequate, relevant and not excessive”. Data can only be collected for a specific purpose related to your business activities and can only be retained so long as you legitimately need to (or are allowed to) keep it for that purpose.
What security measures do we have in place?
You must “secure the integrity and confidentiality of personal information in [your] possession or under [your] control by taking appropriate, reasonable technical and organisational measures to prevent … loss of, damage to or unauthorised destruction of personal information … and unlawful access to or processing of personal information.”You are at great risk of liability and penalties if you suffer any form of data breach from a risk that is “reasonably foreseeable” unless you can prove that you took steps to “establish and maintain appropriate safeguards” against those risks. If you haven’t already done so, brainstorm with your team all possible internal and external vulnerabilities (physical as well as electronic) and address them.
Do third parties hold/process personal information for us?
If third parties (“operators”), hold or process any personal information for you, they must act with your authority, treat the information as confidential, and have in place all the above security measures. Further restrictions apply if the third party is outside South Africa.
Do we know what to do if we suffer a breach?
Any actual or suspected breaches (called “security compromises” in POPIA) must be reported “as soon as reasonably possible” to both the Information Regulator and the data subject/s involved.
Do we do any “direct marketing” and if so do we comply with all requirements?
Most businesses don’t think of themselves as doing any “direct marketing”, but the definition is wide and includes “any approach” to a data subject “for the direct or indirect purpose of … promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject…”. So for example, emailing or WhatsApping your customers about a new product or a special offer will put you into that net.If your approach is by means of “any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail”, you must observe strict limits. Whilst you can as a general proposition market existing customers/clients in respect of “similar products or services” (there are limits and recipients must be able to “opt-out” at any stage), potential new customers can only be marketed with their consent, i.e., on an “opt-in” basis. They can be approached only once for that consent so keep a record of everyone you have asked.
Does our website use cookies and if so do we have a cookie notice and policy in place?
As countries around the world ramp up their privacy laws, we will all see many more examples of “cookie notices” on websites we visit. You may wonder how your own website should be configured, and the short answer is that if it uses cookies (almost all do), POPIA very likely applies despite the fact that there is no specific mention of cookies in the current legislation. Bottom line – to be on the safe side, have a cookie notice and policy in place. Keep yours simple and user-friendly.
Do we have a privacy policy and a POPIA manual in place?
POPIA – unlike PAIA (the Promotion of Access to Information Act) – doesn’t require you to have a POPIA manual in place but in larger businesses it is certainly a good idea to prepare one.However you should certainly have a privacy policy in place. Make sure that everyone in your organisation is aware of it and of how critical it is to comply with it at all times.
Is our staff team ready?
Check that everyone in your business understands your compliance plan and their own individual roles and responsibilities in it. Make sure that nothing falls through the cracks – assign specific tasks to specific staff members.

Bodies Corporate and Homeowners Associations – how POPIA affects you

Bodies Corporate and Homeowners Associations (HOAs) fall into the POPIA compliance net and should be asking themselves the questions above.

In assessing what personal information you hold, how and why you hold it, and who you are sharing it with, remember to include not only scheme owners and HOA members but also your auditors, attorneys, managing agents, the CSOS (Community Schemes Ombud Service), security service providers and the like.

If you have gate security in the form of visitor registers, scanning of licence plates and driver’s licences and so on, be ready to address questions around having lawful reason for collection and retention of all the personal information you are gathering in this manner.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

POPIA: A Practical 4-Step Action Plan for your Business

Written by Nicole Ross Attorneys on October 28, 2020. Posted in Business, Information Technology Law / Cyberlaw.

“By failing to prepare you are preparing to fail” (Benjamin Franklin)

The media is still awash with warnings about the dangers of not complying with POPIA (the Protection of Personal Information Act). The risks of non-compliance are indeed substantial but whilst much is made of the fact that the Act itself is now in force, references to the one-year grace period for compliance expiring on 30 June 2021 appear only in the fine print (if at all).

But – and this is a big but – there are major benefits to understanding POPIA and starting the compliance process long before it becomes compulsory. The penalties for getting it wrong are sizeable, “preparation makes perfect”, you are giving yourself lots of time to get it right, and for many businesses there is also good marketing potential in being able to tell your customers and clients that you are already addressing the situation.

Four practical steps to start with…

Before we start on your action plan, get to grips with the fact that you will almost certainly have to comply fully with POPIA. As soon as you in any way “process” (collect, use, manage, store, share, destroy and the like) any personal information relating to a “data subject” (customers, members, employees etc etc), you are a “responsible party”. Very few businesses will fall outside that net. Equally you are unlikely to fall under exemptions like that applying to information processed “in the course of a purely personal or household activity”. Get going with these steps –

Assess what personal information you hold, how you hold it, and why: Figure out what personal information you currently hold, how you hold it, and why you hold it. To collect and “process” such information lawfully you need to be able to show that you are acting lawfully, reasonably in a manner that doesn’t infringe the data subject’s privacy, and safely.
You must show that “given the purpose for which it is processed, it is adequate, relevant and not excessive”, data can only be collected for a specific purpose related to your business activities, and can only be retained so long as you legitimately need to or are allowed to keep it.

There’s a lot more detail in POPIA, but you get the picture – you cannot collect or hold personal information without good and lawful cause.
Check security measures, know what to do about breaches: You must “secure the integrity and confidentiality of personal information in [your] possession or under [your] control by taking appropriate, reasonable technical and organisational measures to prevent … loss of, damage to or unauthorised destruction of personal information … and unlawful access to or processing of personal information.” You are going to have big problems if there is any form of breach from a risk that is “reasonably foreseeable” unless you can prove that you took steps to “establish and maintain appropriate safeguards” against those risks. Bear in mind that whilst cyber-attacks tend to get the most media time, there are also other risks out there – brainstorm with your team all possible vulnerabilities and patch them.
Any actual or suspected breaches (called “security compromises” in POPIA) must be reported “as soon as reasonably possible” to both the Information Regulator and the data subject/s involved.

If third parties (”operators”) hold or process any personal information for you, they must act with your authority, treat the information as confidential, and have in place all the above security measures.
Check if you do any direct marketing: Most businesses don’t think of themselves as doing any “direct marketing”, but the definition is wide and includes “any approach” to a data subject “for the direct or indirect purpose of … promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject…”. So for example just emailing or WhatsApping your customers about a new product or a special offer will put you firmly into that net.
If your approach is by means of “any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail”, you must observe strict limits. Whilst you can as a general proposition market existing customers in respect of “similar products or services” (there are limits and recipients must be able to “opt-out” at any stage), potential new customers can only be marketed with their consent, i.e. on an “opt-in” basis.
Get a start on procedures and training: Identify an “Information Officer” who will take on all compliance duties, establish procedures, and train your team in implementing them. Cover how you will collect the data, process it, store it, for how long, for what purpose/s and so on. What consent forms do you need and when/how are they to be completed and stored? You are much less likely to have a POPIA problem if everyone in your business (and most importantly you!) understands what your procedures are and implements them as a matter of course. Make sure that no functions “fall between two stools” – assign individual compliance tasks to named staff members and make sure everyone understands who is to do what.

This is a complex topic and there is no substitute for tailored professional advice. What is set out above is of necessity no more than a simplified summary of a few highlights.

POPIA’s Deadline is 30 June 2021 – Ignore the “Fake Headlines” But Start Planning!

Written by Nicole Ross Attorneys on June 26, 2020. Posted in Business, Information Technology Law / Cyberlaw.

At long last the main provisions of POPIA (the Protection of Personal Information Act) have been gazetted, and they will commence on 1 July 2020. That means that the one year transitional period will expire on 30 June 2021.

Don’t panic just yet, and ignore the many “fake headlines” in the media implying that you are at immediate risk of non-compliance, but at the same time don’t leave this to the last minute! Preparing for compliance is going to be a time-consuming affair, almost all South African businesses will need to comply, and the penalties for not doing so will be very severe indeed –

You risk administrative fines of up to R10m;
You could face criminal prosecution (with up to 10 years’ imprisonment);
You could be sued for millions by anyone whose data has been compromised, and this is an instance of strict liability” in that no “intent or negligence” on your part need be proved;
The loss of trust and the adverse publicity resulting if your data breach goes public could be devastating.

In future issues we’ll let you have a lot more practical advice on how POPIA will affect your business, and on the steps you will have to take to protect yourself from the dangers of non-compliance, but for now get started with this first planning step: Ask yourself what personal information you hold, where you hold it, who has access to it, and how secure it is.