How the new POPI Act affects Intermediaries
Cyber-attacks are on the rise during lockdown, increasing from the norm of 30 000 daily to 310 000 recorded on the 18 March as criminals exploit the unsecured home networks used by millions of office workers who are now operating remotely. The Protection of Personal Information (POPI) Act aims to mitigate some of the risk with additional disclosures and increased security around access to client data. The POPI Act came into effect on 1 July 2020 giving all companies, including financial service providers and intermediaries, until 30 June 2021 to comply.
Danelle van Heerde, Head of Advice Solutions at Sanlam, notes that intermediaries must ensure third party vendors have the proper security in place to protect against data breaches and ensure that their client information is stored securely.
“The POPI Act supports the trust relationship between client and intermediary by creating a transparent process,” says van Heerde. “Clients give intermediaries access to a host of personal information, so it is imperative that clients trust that their information is safe and that it is only used for the specific purposes disclosed to them.”
After meeting with a new client for the first time, intermediaries must ensure they have permission to continue the relationship and to communicate with the client. Clients must also have the option of opting out or unsubscribing from email newsletters or marketing communications.
Processing relates to any activity concerning personal information and includes any operation or set of operations connected to that information. This can be lawfully done if the 8 conditions listed in the Act below are met:
Intermediaries must ensure all the provisions of applicable data protection laws are complied with and remain accountable even when third parties are used to process personal information on their behalf.
2. Processing limitation
Data can only be processed lawfully with consent from the client or with legal justification, for example where necessary to conclude a contract or to meet a legal obligation. Only data relevant to the purpose may be processed.
3. Purpose specification
The purpose for which data is collected must be specific, explicitly defined and legitimate. Clients must be informed of the purpose for which their personal information is collected.
Personal information may not be kept for longer than is necessary than required to achieve the purpose, unless required by law, e.g. to meet the requirements of the FAIS Act.
4. Further processing limitation
Any further processing of personal information must be compatible with the purpose for which it was collected.
5. Information quality
Reasonably practical steps must be taken to ensure that the personal information is complete, accurate, not misleading and updated where necessary.
Clients must be aware that the responsible party is collecting their personal information, the purpose of collection and the consequence of not providing information.
7. Security Safeguards
Reasonable precautions must be taken to secure the integrity and confidentiality of personal information and prevent loss, damage or unlawful access.
8. Data subject participation
Clients may ask a responsible party to confirm whether their personal information is held, for detail of the information held and any third parties who may have accessed it and to correct or delete personal information.
“If you manage a small business or brokerage, ensuring POPI compliance can be cumbersome. You may benefit from partnering with compliance experts to implement legislation and evaluate whether your third-party vendors are compliant as well,” notes Van Heerde.
Until recently, companies did not have a legal obligation to inform their clients when their data had been compromised. Under the new POPI act, companies have a legal obligation to inform their clients when data has been compromised or face a hefty fine of up to R10 million.
Overall, the POPI act has highlighted the importance of securing personal information both for clients and intermediaries. “Intermediaries should welcome additional disclosures as an opportunity to further strengthen the trust of their clients,” concludes van Heerde.