South Africa’s Protection of Personal Information Act

The Protection of Personal Information Act or the POPIA for short is a South African comprehensive data protection law. The POPIA was established to protect the data privacy rights of South African citizens. Originally proposed in 2013, the POPIA was recently passed into law in 2020, following years of drafting and deliberation. Part of this delay was the influence of the EU’s General Data Protection Regulation or GDPR, as the POPIA drafting committee took time to consider the aspects of the EU law that were most applicable to potential South African legislation. To this end, the POPIA outlines the specific manner in which businesses are permitted to collect, process, and disclose the personal information of South African citizens, as well as the penalties and fines that can result from failing to meet compliance with the law.

What are the data processing requirements of organizations and businesses under the POPIA?

Under the POPIA, businesses that are responsible for processing the personal information of South African citizens are required to comply with eight specific conditions. What’s more, compliance must be met not only when the processing of a South African citizen’s personal information is taking place, but also when online operators determine the purpose and means of said processing. The eight conditions that South African businesses and organizations must adhere to under the POPIA include:

• Accountability– All organizations that process the personal information of South African citizens must ensure that this processing complies with the POPIA at all times. Moreover, businesses are also required to develop and establish a data protection policy, as well as an internal information officer who will oversee said policy.
• Processing limitation– Personal data must be processed in both a lawful and reasonable manner that does not infringe on the privacy rights of the data subject. Organizations are responsible for developing procedures and policies to ensure that all information that is collected is subsequently processed in a reasonable manner.
• Purpose specification- All personal information collected from South African citizens can only be collected for the lawful, specific, and explicit purpose related to the function or activity for which said information was collected. Businesses are required to inform data subjects of the purpose of said data collection, except in certain circumstances, such as when an individual’s data is needed to comply with obligations set forth by South African law.
• Further processing limitation– After the data of a South African citizen has been lawfully collected and processed, this information can only be processed further in certain circumstances. These circumstances are determined by the purposes for which said information was processed in the first place.
• Information quality– Organizations who process the personal information of South African citizens must ensure that said information is complete and accurate while in the possession of the organization. Additionally, organizations must also ensure that this information is not misleading, and is updated whenever necessary. When looking to maintain information quality, organizations must consider the reason for which said information was originally collected.
• Openness– Organizations are required to compile and publicize a manual detailing their data processing procedures, as mandated by the South African Promotion of Access to Information Act of 2000 or PAIA. When personal information is collected, organizations must take reasonable steps to ensure that the data subject is aware of the following: the information that is being collected and the source of said information, the name and address of the organization that is collecting the information, the specific purpose for which this information is being collected from the data subject, whether this data subject is required to provide the information that has been requested, or may do so voluntarily, the potential consequences for failing to provide this information, the legal basis on which this information is collected, whether the organization who has collected the information intends to transfer this information to a third party, the level of protection that will be afforded to this transferred information, and any further information deemed necessary for the processing of personal data to be reasonable under the circumstances explained above.
• Security safeguards– Organizations are responsible for securing the integrity and confidentiality of any personal information in their possession or under their control by taking reasonable and appropriate organizational and technical measures to prevent the unlawful access, unauthorized destruction of, damage, or loss of said personal information.
• Data subject participation– Under the POPIA, data subjects have the right to request confirmation regarding whether an organization holds personal information relating to the subject. Data subjects also maintain the right to request a record or description of the personal information that an organization or third party may hold concerning them. To this end, data subjects may specifically request that an organization either correct or delete personal information about the subject that is proven to be inaccurate, excessive, out of date, incomplete, irrelevant, misleading, or has been unlawfully obtained, as well as destroy or delete any personal information that an organization has collected but is no longer authorized to retain.

How can organizations and businesses achieve compliance under the POPIA?

Under the POPIA, organizations and businesses that handle the personal information of South African citizens must implement measures that ensure this information is protected from unauthorized access, use, or loss. These measures must include the following provisions:

• A data compliance framework must be developed, implemented, monitored, and maintained at all times.
• A personal information impact assessment must be conducted to ensure that these measures are adequate and effective.
• Standards must be created in order to comply with the POPIA’s requirements regarding the conditions for the lawful processing of a consumer’s personal information.
• A manual must be developed, monitored, maintained, and made available to the public in accordance with sections 14 and 51 of the PAIA.
• Internal measures must also be developed in concert with adequate systems for the means of processing requests for access to the personal information of consumers.
• Internal awareness sessions must be conducted regarding the provisions of the POPIA, regulations made in relation to the POPIA, codes of conduct, and any other pertinent information obtained from the “Information Regulator”.
• The POPIA mandates that organizations and business entities incorporate suitable security and technical measures to protect the personal information of data subjects that are in line with the volume, nature, and sensitivity of said information.

Unlike many other comprehensive data protection laws around the world, the POPIA does allow for individual South African citizens to institute a legal claim against businesses or organizations they feel have inadequately stored their personal information. What’s more, data subjects are not required to prove that an organization or business entity that has inadequately stored their personal information did so through negligence. As such, these claims are handled on a strict liability basis. In terms of penalties relating to the violation of the POPIA, organizations, and businesses who fail to comply with the law are subject to monetary fines and penalties of R10 million ($663,742.84), imprisonment, and civil damages, and ultimately reputational harm.

The POPIA was passed to help protect the personal information and in turn privacy of South African residents. As one of the many recently passed privacy laws that were influenced by the EU’s General Data Protection Regulation, the POPIA outlines the specific steps and measures that businesses that collect the personal data and information of South African citizens must follow when processing and handling said information. With legislation such as the POPIA, South Africa joins the many nations around the world who have created federal legislation specifically aimed at protecting the personal information of their citizens.