Many people think that complying with the Protection of Personal Information Bill (POPI) is simply a case of preparing a privacy policy.

In doing so, there appears to be a tendency to simply “cut and paste” from an existing privacy policy online. This is possibly due to the fact that privacy policies have now become ubiquitous in the online world.

However, what many do not often realise is that many of these online privacy policies are a direct result of legislation and the various court judgements that protect “personal information” (PI). These differ from country to country and one cannot guarantee that they will comply with POPI. So be careful: your privacy policy may be totally wrong and inappropriate.

We often get asked to simply review a client’s privacy policy “for compliance” and frequently experience pushback when we explain to clients that before you can even think about reviewing or drafting your privacy policy you need to have a privacy strategy in place and also should have conducted a Privacy Impact Assessment (PIA).

At the end of the day, a privacy policy must:

  1. be designed to allay consumers concerns about the manner in which their PI is being treated and make them feel comfortable about doing business with you; and
  2. satisfy the legal requirements of POPI and the sectoral Codes of Practice provided for in POPI – if you are doing business on a global basis, you will also have to comply with international privacy laws.

All privacy policies in existence in South Africa have only focused on the former. Drafting a privacy policy that complies with POPI, whilst addressing consumer sensitivities and reflecting business objectives, is a tremendous challenge.

Furthermore, many organisations assume that once their privacy policies are in place, that the job is completed. This is a mistake. Every time content or services are added, or website functionalities change, there is a risk of exposing users to privacy breaches and contravening POPI.

When we talk about privacy policies, most organisations only focus on their external, public facing privacy policy, which is distributed to customers and made available on the website. However, a separate privacy policy needs to be in place to govern the way you manage data internally, including your employee PI. This policy must be clearly written as employees need to understand what is expected of them, the reasons behind expectations, and the consequences if they fail to meet their obligations.

If you would like us to review your Privacy Policy or require further information please contact privacy@michalsons.co.za.

Read about our full range of privacy and protection of personal information services as well.