The Protection of Personal Information Act (POPIA) is set to take effect on 1 July 2020
On 22 June 2020, the President issued a Proclamation regarding the commencement of certain sections of the POPI Act, these refer to: sections 2 to 38; 55 to 109; 111 and 114(1), (2) and (3), which will all take effect on 1 July 2020. These sections deal with, inter alia, the purpose of the Act, the application and exclusion provisions, the lawful processing of personal information and exemptions thereof, sections relating to the Information Officer, prior authorisation, codes of conduct issued by the Information Regulator, provisions regulating direct marketing by means of unsolicited electronic communications, enforcement, complaints, offences and penalties.
The Proclamation also states that sections 110 and 114(4,) will come into effect on 30 June 2021. These sections deal with the transfer of the enforcement of the Promotion of Access to Information Act (PAIA) from the South African Human Rights Commission (SAHRC) to the Information Regulator.
It is important to note that section 114(1) of POPIA provides a grace period of 1 year to be fully compliant with the Act – therefore all entities must be fully compliant with the provisions of POPIA by 1 July 2021. The grace period should be used to put compliance processes in place.
Click here to read the Proclamation.
POPIA was signed into law in 2013 but did not take full effect at the time. Various developments have since taken place such as the appointment of the Information Regulator in 2016 and final POPI Regulations which were published in 2018.
The act aims to protect personal information, falling into the broader Constitutional right to privacy. POPIA seeks to regulate every step of the processing of personal information from how personal information must be handled when it is collected until the time it is destroyed. But what exactly should be considered as personal information and what does processing mean?
Personal information broadly means any information relating to an identifiable, living, natural person or where applicable, an identifiable, existing juristic person (companies, CC’s etc.) and includes, but is not limited to:
contact details: such as email addresses, telephone numbers, physical addresses etc.
demographic information: such as age, sex, race, ethnicity etc.
information relating to the education or medical, financial, criminal, or employment history of the person
biometric information: such as fingerprints
the personal opinions, views or preferences of the person
the views or opinions of another individual about the person
private correspondence sent by the person or further correspondence that would reveal the contents of the original correspondence
The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Processing means anything that can be done with the Personal Information including collection, usage, storage, dissemination, modification, or destruction.
POPIA and Financial Advisors
It is crucial for every individual that processes personal information to understand the requirements of POPIA. Business owners, Directors and Key Individuals need to understand the principles of POPIA from both an internal and external perspective i.e. external being how client information is processed while internal refers to HR processes and how employees personal information is processed. Adequate security measures and POPIA related policies and procedures will need to be implemented in order to maintain confidentiality and integrity of personal information in line with POPIA. Daily activities of Financial Service Providers include the processing of personal information such as gathering information when it comes to onboarding a client, processing client information to do a financial needs analysis or performing an intermediary task – financial advisors will need to act with due skill, care, and diligence when it comes to processing client’s personal information.
POPIA also speaks to the Treating Customers Fairly (TCF) principles. With reference to TCF Outcome 1 Consumers can be confident that they are dealing with firms where the fair treatment of customers is central to the corporate culture, the POPI Act can be regarded as an additional tool to give effect to the fair treatment of clients in that client’s personal information will be used in a responsible and ethical manner.
Non-compliance with the requirements of the POPI Act may lead to the Regulator imposing an administrative fine or even imprisonment. Non-compliance may also result in serious reputational damage for a business.
Below are some important factors to consider to get started on becoming POPIA compliant ahead of the 1 July 2021 deadline:
Create a POPIA compliance project timeline
Start planning your implementation according to your project timeline
Appoint an Information Officer within your business
Perform a gap analysis. This requires an understanding of what is required by the POPI Act in order to identify any gaps in your business, e.g. what do you have in place already, what is not in place, what needs improvement, etc.
Analyse what and how Personal Information is currently processed in your business and how this needs to be changed. Track and map the flow of Personal Information into, through and out of your business, including external parties that have access to that information.
Review all your electronic system and programmes that you use to communicate with clients and where you store their information.
Implement POPIA compliant Personal Information management processes
Train all staff on the POPIA and the roles that they will play
Make POPIA compliance “Business-As-Usual” – it is an ongoing process, a journey – it will require constant monitoring and management.
The POPI Act imposes obligations on all business in South Africa, not just FSPs. If you would like a proposal on how we can assist your business with POPI compliance, please contact your nearest Masthead Regional Office or your Masthead Compliance Officer.