The A-Z of POPI compliance
The Protection of Personal Information (POPI) Act came into full effect on the 1st of July 2021. If you still haven’t implemented your POPI compliance strategy, it is strongly advisable that you take quick and decisive steps to do so as non-compliance could carry hefty penalties. To ensure that you get your (POPI) act together, we’ve put together a handy list of A-Z* terms that you should consider in your quest for information protection. A – Accountability: One of the 8 conditions for processing personal information, which governs that both the means and the purpose thereof must be determined before processing can take place. B – Big data: With modern data-practices where large quantities of information are constantly being processed in a short time, you will need to ensure that you have infrastructure in place to deal with these kinds of large-scale processes lawfully. C – Consent: You need to provide your data subjects with enough information for them to make an informed decision on whether you may process their personal information. They may only be approached for consent once. D – Data Subject: The legal persons/entities whose information you collect and process are called data subjects. E – Eradication: When information is no longer used for the purpose it was collected, you will need to dispose of that information without a way to recover it. F – Freedom: While POPI does restrict the liberty with which businesses have been processing data in the past, it is in fact aimed at rectifying the lack of freedom and privacy data subjects have been forced to deal with for much too long. G – GDPR: The GDPR (General Data Protection Regulation) is the EU’s data protection law and is similar to POPI in many ways. Be sure to understand by which jurisdiction your data is regulated. H – How: According to the POPI Act, the manner in which you process personal information must be pre-determined and communicated clearly to your data subjects. I – Information officer: Every business should appoint someone to handle their data processes and take responsibility for ensuring compliance with the POPI Act. J – July 2021: The POPI Act is lawfully enforceable from the 1st of July 2021. L – Limitations on Processing: A variety of limits exist on the processing of personal information, including obtaining it from the data subject, gaining of consent, scope (you cannot collect excessive data), and more. M – Marketing: POPI has a significant effect on marketing practices. And as such, traditional ‘grey areas’ in the processing and use of personal information are now much more ‘black and white’. N – Notice: You must provide your data subjects with a notice of how their information is collected, processed, used and disposed of, as well as what the purpose of that information is. O – Openness: The data subjects must always be able to access their data, be able to see what data you possess, and be able to make changes to their data. P – Penalties and fines: Non-compliance is prosecutable, with fines of up to R 10 000 000 and imprisonment of up to 10 years. Q – Quality of information: Personal information must always be kept accurate, complete, and up to date. R – Regulator: South Africa has an Information Regulator who is empowered to monitor and enforce compliance to the POPI Act. It is an independent regulatory authority. S – Security: As a condition for processing personal information, you are required to take all reasonable measures to ensure that the information of your data subjects is protected, secured, and encrypted. T – Third-party processing: Your data subjects have to consent to the use of their information by third-parties and the details thereof must be clearly outlined before you collect their personal data. U – Unsubscribe: Where you previously might have gotten away with sending unsolicited communication with the option to unsubscribe, now you will need to ensure that your data subjects opt in for communication. V – Veracity: All the data you process must be accurate, and it is your responsibility to ensure that you update your databases regularly. W – Why: The purpose for which you collect and process personal information must be clearly defined and communicated to data subjects. Y – Yearly review: You will need to regularly review your POPI plan and ensure that your processing standards remain up to date. Therefore, it is advisable to review your data systems and POPI protocols at least once a year. Z – Zero Trust (ZT) Architecture: As a security measure some companies have implemented ZT Architecture, which ensures that the authority and access to data is checked at every point of access and not just trusted because of the network through which it moves. This is not a requirement of POPI. *Please note there are no entries for K or X. To ensure that you have everything in place to protect yourself (as an information processor) and your data subjects (whose sensitive data you collect) with regard to the POPI Act, please get in touch with your trusted advisor. This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)
Why the POPI Act matters
The right to privacy is enshrined in Section 14 of South Africa’s Constitution and we understand it to be a vital human right. It states: “Everyone has the right to privacy, which includes the right not to have – (a) their person or home searched; (b) their property searched; (c) their possessions seized; (d) the privacy of their communications infringed.” It’s the last part of the abovementioned list that is becoming a growing concern. All around the world more and more focus is being placed on protecting private information as countries and governments are setting new laws to ensure the safety of their citizen’s information online. In an age where information is growing at an exponential rate, no digital exchange of information can be left unprotected. For this reason, the Protection of Personal Information (POPI) Act comes into full effect from the 1st of July 2021. Non-compliance could carry hefty fines, but as with most regulatory pieces of legislation, compliance is more than just a box to tick. Let’s consider why personal information should be protected: It builds confidentiality Protection of data is very much a protection of the information that people hold as important. By capturing, storing, and processing personal information, you are essentially guaranteeing the confidentiality of your transactions with the other party. Confidentiality is built upon when you can guarantee that none other than you yourself are able to access and process the information you store. Having a secure database stored with good encryption on your servers is a good way to keep to the promise of security you give to your customers/clients. It ensures the integrity of information In a similar vein, data protection ensures that data remains accurate and integrous. Your customers/clients need to be sure that all their data is current and accurate, and that no manipulation of the data can take place. Furthermore, to ensure the integrity of information, the data needs to be frequently backed up while remaining synchronous (i.e. whenever a change is made that change must reflect in the backup in as little time as possible). Safeguards can also be put in place to ensure that no data is duplicated or stolen. It leads to trust With regard to information storage and access, trust is built when your data subjects know that their data will always be available when and where they need it. Readily available data and the ability to request changes to the data with little to no delay are ways to build trust and assure data subjects that you are handling their data ethically. At the end of the day, how you handle information is a question of ethics. What the POPI Act brings is a sense of relief in a modern age that there will be repercussions for the mismanagement of data and that there is greater regulation of data management. Soon the everyday consumer will have a lot more protection against unwanted marketing and unethical data practices — practices that have been allowed to go on for too long. For those who are still lagging behind, the time is ticking and failure to become fully POPI Act compliant could hold serious consequences. Make sure to get your matters in order before 1 July 2021. This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)
How will the POPI Act affect the real estate industry?
On 1 July 2020, the enactment of the Protection of Personal Information Act (POPI Act) commenced, which will come into full effect on 1 July 2021. As its name states, the POPI Act aims to promote the safeguarding of personal information by putting in place the necessary regulations and legislation needed to realise this. Since its acceptance into parliament on 19 November 2013, the media has been flooded with the scope of the Act and how it will affect those who work with personal information. One industry that should not be overlooked during this time of preparation, is the real estate industry. Personal information has always been a vital part of the real estate industry, and as such, the industry comprises various responsible parties that fall within the scope of the POPI Act. Estate agents, for one, use the data of their clients to better equip them in the search for their clients’ perfect homes, discerning the needs from the data. They also use this information to complete documentation such as lease agreements, FICA compliance affidavits, bond approvals, mortgage bond applications, and transfer deeds. So, it makes sense that estate agents must have access to as much personal information as possible. Conveyancers, who also work with the personal information of clients, often receive sensitive data from buyers, sellers, estate agents, insurers, auditors, homeowners’ associations and financial institutions. This information is regularly passed on to governmental bodies such as SARS, deeds offices and municipalities. As such, it is clear that the effect of the POPI Act will be unavoidable on the real estate market. What are Responsible Parties? Simply put, a responsible party is anyone who is responsible for the processing of personal information, whether it be in the collection, safekeeping, or destruction of that information. They must ensure the integrity of every step taken during the processing of personal information, and must ensure that the guidelines and regulations of the POPI Act are always adhered to. As part of their duties, responsible parties must put in place the necessary measures that safeguard information against any possible internal or external risks, and regularly update these safeguards to ensure up-to-date security. What are Data Subjects? Data subjects are essentially any person whose personal information is collected or kept by the responsible parties. The POPI Act includes a non-exhaustive list of exactly what is considered personal information, which responsible parties must familiarise themselves with. The Act also includes the specific rights of data subjects, which aim to protect the personal information of all data subjects. How will the Real Estate Industry be Affected? The first step towards POPIA compliance may be the easiest. Neither estate agents nor conveyancers may share a client’s information or pass it on to another organisation or body without the data subject’s written approval. This is especially important as there are various role-players involved in a property search and its subsequent sale. Estate agents will also not be able to hand over the information of tenants and interested buyers to landlords and sellers without the necessary policies having been set up and permissions gained. Another big change will come in the way estate agencies conduct their marketing. From newsletters and campaigns to special offers and latest listings, agencies and agents will have to obtain the necessary permissions to continue with such communications. For many who receive such unwanted communication, this is a welcome change – one less “spam” email you have to delete before even opening it. But for those who benefit from such communications, the additional steps that need to be taken to ensure that they continue to receive the latest news and developments is vital. The most important part is, the POPI Act puts the decision of what information is given out back in the hands of the individual to whom the information belongs. Whatever way you look at it, that’s something good. This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice. Errors and omissions excepted (E&OE)