The remaining provisions of the Protection of Personal Information Act 4 of 2013 (“the POPI Act”) was set to be gazetted on 1 April 2020, but due to the outbreak of COVID-19 and the lockdown taking place, the anticipated wait for the Act to come into full effect continues to be long-anticipated. However, that does not mean that businesses should take a back seat – rather, businesses should be aware that once the Act comes into effect, they will only have a grace period of twelve months to ensure that they are compliant with the Act.
The importance of the POPI Act is that it provides for the protection of the processing of private information, especially in cases where businesses such as banks deal with a huge volume of private client information and data. The Act regulates how businesses should obtain information from clients, how that information is both stored and used, as well as the consequences for mismanagement of information and how it is obtained. The POPI Act also sets out what kind of information can and cannot be obtained and places a large focus on consent from the individual or juristic entity in terms of obtaining any personal data.
One massive development in respect of this Act is that direct marketing will have to become opt-in, where consumers will have to actively agree to receive promotional messaging. Therefore unsolicited direct marketing via electronic channels will become opt-in only, unless the consumer has consented to giving personal information to the supplier in the context of a sale for the purpose of direct marketing.
If businesses do not become compliant within the grace period, they could face severe consequences, such as civil and criminal penalties, up to R10 million in extreme cases or the possibility of spending up to 10 years in prison. To curb this, businesses will have to ensure that they have put sufficient data security measures in place, and accordingly ensure that all of their policies and agreements are compliant according to the Act.
If you are unsure as to how your business can become compliant, we can assist you by providing you with advice as to what is required of your specific business and can draft various documents such as privacy programme management policies, breach response procedures, compliance and impact assessments and consent documentation. We will also ensure that your privacy policies and contractual clauses are compliant, and we will assist you in terms of incorporating the POPI policy into your business’s framework.