Resources   >   POPI Act Compliance
 

The South African POPI Act

A Practical Guide for Website Compliance


What Is The POPI Act ?
Will It Apply To Me ?
Do I Really Need To Be Compliant ?
What is GDPR and CCPA ?
Will I still need PAIA Compliance ?
What Are The Elements of Web Compliance ?
Privacy Policy vs. Privacy Statement ?
How Do I Put This Into Website Practice ?

Please note that ALL businesses have to deal with ALL aspects of the POPI Act. This includes many areas related to data storage, tax and accounting records, physical paper files, etc.   These issues are usually under the control of your Risk & Compliance Manager.   The website requirements for compliance are a sub set of that responsibility.
This article only deals with the requirements for your company websites.


WHAT IS THE POPI ACT ?


The Protection of Personal Information Act was passed into law in South Africa in July, 2021. It essentially sets out the minimum standards you must apply regarding the accessing and "processing" of any personal information belonging to another.

Personal information is any information that may identify a person such as a name, surname, identity number, contact number, email address, religion, medical history, education, financial or any other information that is unique to an individual. The Act defines "processing" as collecting, receiving, recording, organizing, retrieving, or the use, distribution or sharing of any such information.

All organisations in South Africa (of any size) and individuals that are in a position to obtain, handle and store the personal information of another individual, whether it be in terms of their employment or as suppliers or service providers, must adhere to the requirements of the Act and implement steps to safeguard this information. Companies have 12 months to get their systems and processes in place to comply with the Act, in this case 1 July 2021. Non-compliance could result in not only reputational damage and/or potential civil damages claims, but punitive fines up to R10 million or 10 years imprisonment, or a combination thereof.

It is your responsibility as the business owner to ensure that all personal information is stored safely and not accessible to individuals that may misuse or share that information for any onerous intent.

You can only collect personal information for a specific, explicitly defined and lawful purpose and the subject must be aware of the purpose for which the information is being collected. (section 13)

Once the personal information is no longer needed for the specific purpose, it must be disposed of unless you need to keep it (or are allowed to keep it) by law, or you need to keep the record for your own lawful purpose or in accordance with the contract between yourself and the subject, or the subject has consented to you keeping the records.

You are entitled to keep records of personal information for historical, statistical or research purposes if you have established safeguards to prevent the records being used for any other purposes.

Records must be destroyed in a way that prevents them from being reconstructed.

You can only use personal information that you have collected for the purpose which you collected it for.

When information is being collected, subjects must be made aware of the following:
  • the information that is being collected and if the information is not being collected from the subject,
  • the subject must be made aware of the source from which the information is being collected;
  • the name and address of the person/organisation collecting the information;
  • the purpose of the collection of information; whether the supply of the information by the subject is voluntary or mandatory
  • the consequences of failure to provide the information; whether the information is being collected in accordance with any law;
  • if it is intended for the information to leave the country and what level of protection will be afforded to the information after it has left South Africa.
  • who will be receiving the information;
  • that the subject has access to the information and the right to rectify any details;
  • that the subject has the right to object to the information being processed (if such right exists);
  • that the subject has the right to lodge a complaint to the Information Regulator. The contact details of the Information Regulator must also be supplied.
If we collect personal information how must we handle it?

Anybody who keeps personal information has to take steps to prevent the loss, damage, and unauthorised destruction of the personal information. They also have to prevent unlawful access to or unlawful processing of this personal information. (section 19)

We have to identify all risks and then establish and maintain safeguards against these identified risks. We have to regularly verify that the safeguards are being effectively implemented and update the safeguards in response to new risks or identified deficiencies in existing safeguards.

Anybody processing personal information on behalf of an employer must have the necessary authorisation from the employer to do so. They must also treat the personal information as confidential.

Such a person must have a written contract with their employer in which they are specifically obliged to maintain the integrity and confidentiality of the personal information and to implement the established safeguards against identified risks.

This employee is also obliged to notify their employer if they believe that personal information has fallen into the wrong hands.


WILL POPI APPLY TO ME ?


The short answer is 'Yes, if you collect data from anyone".
- If your website has a form to be completed sending a visitor's details to you for contact purposes, then you have collected data.
- If you have Google Analytics installed on your website, then you are "dropping cookies" (even though Google do it) and you have to inform the visitor.
- Your accounting system contains the names addresses and organisational data for your clients. That is collected data to be safeguarded.
- Your marketing database for sending client newsletters is also such a data repository.

It would be hard to imagine a business which would not be subject to the requirements of the POPI Act.


DO I REALLY NEED TO BE COMPLIANT ?


This is where it gets interesting and perhaps controversial.

You will have noticed, since early 2022, that you are constantly being requested for "Cookie Consent" when you visit a website for the first time. This is usually in the form of a simple "This website uses cookies" without much further expanation. But if you decline to approve that you will usually be taken to another screen which explains why the cookies are necessary. Declining after that screen may restrict your access to portions of the rest of the site and, in extreme cases, you may be blocked from further access. These are websites applying strict POPI compliance, and very often they are companies resident in the UK or Europe and they are applying the GDPR rules. Increasingly, they are South African companies as well. It would be expected that these websites also publish privacy policies, POPI compliance documentation and PAIA manuals. In short - they appear to be POPI compliant

This is a currently a definite (very small) minority but compliance is bound to increase over time.

But when we look back at the history of South African legislation in the web based control of data and its implementation we see a broad record of non-compliance. There were two previous pieces of legislation that were intended to control data management and (one suspects) the growing curse of email based spam. Namely:
  - The Promotion of Access to Information Act 2000 (PAIA)
  - The Electronic Communications and Transactions Act 25 of 2002 (ECT Act)
Compliance levels with both acts was low, and still is today.

So one has to question the cost of ensuring compliance and the likelihood of actually experiencing enforcement. This is usually a function of attitude to risk and the extent to which you actually do collect data. Presumably if you suffer a data breach of some significance then you will be possibly be subject to the penalties stipulated in the act. You need to assess your vulnerability and if it exists, then decide accordingly.

The POPI Act has implications for many data related aspects of your business (accounting data, backups of employee machines, data stored on-line, etc) which are not in our specific area of experience. We can only offer suggestions related to your website content and in that respect we recommend that you make a "best effort" attempt to comply and be seen to be making that attempt. Over time you will be able to observe the compliance of your competitors and other similarly positioned organisations and can then improve and amend your own documentation.


BUT WAIT, WHAT IS GDPR and CCPA ?


This all gets a little bit worse before it starts getting better

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. ... If you are a South African company and you sell products or services in the EU or process the personal data of EU citizens, then the GDPR applies to you. So even if only a small percentage of enquiries come from the EU, and you collect and use that persons information, then you need to be GDPR compliant. If your site uses cookies, then you need to be GDPR compliant. Same goes for contact forms and newsletter subscriptions. Strictly speaking, the information needs to be processed in relation to the offering of goods or services or the monitoring of behaviour that takes place in the EU.

Any service that is added to your website (using third parties) must also comply with GDPR. Even if you don't think the service you are adding collects personal data, you must be wary. Many free services will include some form of data capture that is later used for advertising networks. Remember thay using Google Analytics drops cookies which makes you liable for GDPR compliance.

If your website does not collect any personal data (including IP addresses) and does not use cookies and you do bot have contact forms or newsletters, you will not have to do anything to be GDPR compliant. All other site will need to obtain consent.

Cascading Compliance happens when you are asked by a company with whom you work, and pass personal information to, to provide your privacy policy link details. This is usually because they have to be GDPR compliant and that requires them to link to the policy documents of the companies they work with and to whom they have passed on a EU citizens personal data. That is becoming increasingly common.

Then there is the California Consumer Privacy Act (CCPA). Although the GDPR and CCPA are different from one another in some notable ways, the CCPA is essentially a less strict version of the GDPR. The difference between GDPR and CCPA is that the CCPA's definition is extra-personal, meaning that it includes data that is not specific to an individual, but is categorised as household data, whereas the GDPR remains exclusively individual.

As a general statement, if you have complied with all provisions of POPI then you should be largely OK with the GDPR. You only need to be concerned about CCPA if you do business in California - but if you have complied competently with POPI, and then checked for GDPR variations if GDPR applies to you - then you should be good with CCPA.

The link below is recommended as a not-too-heavy read on the GDPR for South Africans.
michalsons - Compare the GDPR with the POPI Act
As is this discussion on GDPR from a South African perspective.


WILL I STILL NEED A PAIA MANUAL ?


Firstly, understand that the POPI Act and the Promotion of Access to Information Act (PAIA) are not connected to each other. The PAIA concerns itself about giving information about you, your company and operations to website visitors. It helps them understand who they are dealing with and introduces some extra accountability and transparancy. Think of it as anti-corruption - a good thing.

The POPI Act, as you will know by now, is focussed on making sure that you take good care of the personal information that website visitors have entrusted to you. Somewhat opposite to PAIA. It makes sure that you do not abuse that information in any way. And the POPI Act does not require you to have complied with PAIA.

But it is a criminal offence (since 1-Jan-2022) for you not to have a PAIA manual published on your website. If you are going to the trouble of ensuring POPI compliance then it makes no sense not to take the small extra effort to get PAIA compliant. There are no exemptions - everyone, including you, must comply. There has been no real prosecution of the act but this will likely change at some time.

The act only specifies that you must have and publish the manual. You also need to register your Information Officer with the Regulator. So unless you are a major player effecting key industries and are over R10m annual turnover (an estimate) then you can have a fairly generic manual.

Michaelsons offer a free download which should be all that most would require.

Or you can download the Regulator's Template which is considered a clumsy solution.

And there is also Access - to - Info which is a commercial service who will create a manual from an automated form for a fee of around R400.


WHAT ARE THE ELEMENTS OF WEB COMPLIANCE ?


From reading the above you will understand that there are a number of decisions to be made about achieving practical compliance within your organisation. These include such issues as appointing an information officer and reviewing the systems used for storing data, securing data and making security backups. Employee access, theft of devices and even the eventual disposal of devices (upgraded hard drives and notebooks) are all issues to cover. But these issues are beyond the scope of this article which will focus on amendments that are required on your company website.

You could use the following as a "Get Started" framework.......

THE BROAD STEPS AND POPI TESTS

The nominated Information Officer would be responsible for overseeing these functions and processes.

Develop a Formal Stategy
Think of it as a data protection planning document. It should scheduled for review on an annual basis and it would be the basic policy that the organisation follows to secure data and not fall foul of the POPI Act.
- What are the backup policies to protect against a data breach or device theft.
- How to protect against an employee stealing or selling your data
- What must you do (statutory reporting) if data is lost.

Setup Strong Ransomware, Phishing and Malware Defences
These are issues for your IT staff and security consultants if beyond your ability.
Data preservation and protection is the objective..
Think firewalls, virus protection, ransomware, phishing attack education, etc.
A major defence tactic is having multiple bulletproof backup systems running, storing locally, offsite and in the cloud.

Monitor and Review Data Storage Levels
Have set objectives for clearing out old data that has reached its discard date.

Adhere to Consent Marketing Rules
Save and store the proof of consent (optin) for contact especially where direct marketing is concerned. This data would itself be subject to POPI rules and would be destroyed after a specified time has elapsed after the collected data itself has been destroyed.

Destroy Effectively
Drives must be wiped and digitally shredded and files must not just be simply deleted.

Keep Your Employees Educated
Schedule an annual POPI review workshop.where policies and your overall strategy are all reviewed and revised.


PRIVACY POLICY VS. PRIVACY STATEMENT ?


Is this the same thing or is there a difference ?
No - they are different.

A privacy policy focuses within the business. It tells customers how they will handle personal information. However, a privacy statement (a.k.a. privacy notice) focuses externally. It tells customers, regulators and other stakeholders what the organisation actually does with personal information.

Your Privacy POLICY will say, broadly, that you may have to keep personal data on file for compliance with accounting. tax and legal government requirements. The Privacy STATEMENT will detail exactly which Acts and laws are being complied with. The Policy will reserve the right to pass your personal information on the business affiliates who assist in providing the service to you. The Statement will detail who those affiliates are and provide links to their Privacy Policy documents.

So the Policy lays it out in concept and the Statement details the nuts and bolts.

In practice it would only be bigger corporations who prepare a separate detailed statement document, and usually only if they are focussed on complying with the stricter GDPR requirements. If you are required, perhaps by a business partner in the EU who is GDPR focussed, to provide your policy links - then you may want to provide the detailed information in your Policy document directly after the relevant items. These practices are expected to standardise and move in a particular direction once more websites become POPI compliant.


HOW DO I PUT THIS INTO WEBSITE PRACTICE ?


If you have not already done so, you will need to create a PAIA Manual and publish it on your website.

Develop a Privacy Policy document.
  -   A Privacy Policy Template is available for download.
  -   A Skinny Policy Template is very brief but perhaps sufficient for now.

Develop a Cookie Policy, even if you do not use them.

A link can be placed in all footers to "Privacy Policy" which can be a stand-alone page with links to all of these documents.

Pages where information is collected, such as a contact page, a sales order form or a newsletter signup page must all have the Privacy Policy link visibly displayed.

Print Friendly and PDF  
 
  Anything we left out, stuff you don't agree with.?
Good article, bad article.?
  Please give us your comments and suggestions.