Sheldon Human Capital Solutions
March 29, 2020
THINK WEEK
March 29, 2020

Protection of Personal Information Act (POPIA)

• By: Grant Wilkinson | Global Business Solutions

Over the December holiday period I was advised by Advocate Pansy Tlakula that the Regulator intends to approach the President and request him to bring the remaining sections of POPIA into effective during the 2020/21 financial year.
The guidelines generally deal with administrative issues but also deal with significant portions for a Code of Conduct and complaints handling procedures.
But maybe we should first take a step back and explain what the POPIA is all about and how this legislation will impact your business.
One could say that the development of POPIA started a long time ago as the pipeline of relevant legislation that preceded this Act includes:
· The right to privacy (as set out in the Constitution)
· Section 9 of the Promotion of Access to information Act
· Sections 50-51 of the Electronic Communications Act 25 of 2002
· Consumer right to privacy (captured in sections 11-12 of the Consumer Protection Act).
PURPOSE
The purpose of the Act is to :
· safeguard personal information
· regulate the manner in which personal information may be processed
· provide persons with rights and remedies to protect their personal information
· establish voluntary and compulsory measures to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.

WHEN AND TO WHOM DOES THIS APPLY?
According to Section 3(1) of the Act, it “applies to the processing of personal information iciled in the Republic; or
(a) entered in a record by or for a responsible party by making
use of automated or non-automated means:
(b)  where the responsible party is
(i) domiciled in the Republic; or
(ii) not domiciled in the Republic, but makes use of automated or non-automated means in the Republic”
MULTI-NATIONAL COMPANIES
As a multi-national company, you would need to be very alert to the provisions of the General Data Protection Regulation which is similar legislation that has been in place in Europe for some time. The implementation date of this legislation was 25 May 2018 and if you do find yourself with footprints in both Africa and Europe, you need to be alert to the terms thereof, which are more burdensome on multi-national companies.
EXCLUSIONS FROM THE ACT
The Act does not apply to the processing of personal information
(a)    in the course of a purely personal or household activity;
(b)    that has been de-identified to the extent that it cannot be  re-identified again;
(c)     by or on behalf of a public body and –
(i)  which involves national security…
(ii) the purpose of which is the prevention, detection,  including assistance in the identification of the proceeds of  unlawful activities and the combating of money laundering   activities, investigation or proof of offences, the  prosecution of offenders or the execution of sentences or security measures…
(d)   by the Cabinet and its committees or the Executive Council of  a province; or
(e)    relating to the judicial functions of a court
The Act itself provides for a number of strict measures in terms of the processing of and storage of any personal information that your organisation might be dealing with.  From a practical perspective this means that you would need to ensure that there are necessary protocols and processes in place to deal with the relevant provisions of the Act and to implement strict rules that deal with the safekeeping of information that is being stored and/or processed by your organisation.
Because the POPI Act itself is a very detailed piece of legislation, an article of this size cannot do the full Act justice.  We therefore suggest that you consult with an expert in this space to do a dipstick audit of where your organisation is at currently.
At Global Business Solutions we do provide this service and will  be willing to assist you in this regard.