How a POPIA exemption can help your non-profit

Non-profits all need to find a balance between achieving data privacy and achieving their important operational goals. Most people know, at this point, that POPIA and other data protection laws are at the heart of that data privacy. Compliance with a law like POPIA is often complex, time-consuming, and expensive. These challenges can mean that no matter how much you want to comply to protect your beneficiaries, you are unable to do so to the extent required. A POPIA exemption can be just the relief that your embattled non-profit needs. There are important requirements that you need to be aware of, though. POPIA requires that you meet these requirements before you can receive an exemption from the regulator.

What you may want to be exempt from

With all the data processing that most non-profits typically do on a daily basis, there are commercial and legal risks that inherently arise. These risks usually arise because a law like POPIA has certain obligations that a non-profit struggles to comply with due to the nature of the work the non-profit does or limitations related to budgets, resources, and capacity. Think of the following examples of POPIA obligations that your non-profit may struggle with:

Being unable to collect information directly from a data subject (such as a beneficiary) because it is cheaper and less time-consuming to get the information from another non-profit you work with;
Difficulties in limiting the processing to just a few identifiers – you may not want to limit the amount of information you collect because you intend to help the data subject in various ways over time;
Not always knowing or being able to limit the period of time you need to keep the information over. When a data subject asks you to delete their information (the right to be forgotten), you may be unable to fulfil that right;
Only being able to afford basic security measures for the information, and wishing to ask the regulator to exempt you from putting more complex and expensive measures in place; and
Being concerned that it takes a while for you to conclude contracts that impose data protection obligations on your service providers and partners, and want the regulator to excuse the delay.

Download our Top 10 legal risks for non-profits Infographic

How to get a POPIA exemption

The regulator would require your non-profit to show that the processing that it wants an exemption for is:

in the public interest, meaning that it impacts a significant group of people (members of the public), not just a small group; and
significantly and clearly beneficial to data subjects, even though the processing is not compliant with POPIA. Here, you would have to argue and demonstrate that the work your non-profit does is aimed at improving the lives of your beneficiaries, and that any harm they may suffer due to your data processing is far outweighed by the benefits of your work.

Formatting and submitting your application

You would have to do your application electronically using the form designated by the regulator. Here are the common steps you would have to take:

Get your Information Officer involved to help you.
Read the guidance note that the regulator issued;
Download and prepare the Exemption Application Form;
Attach a cover letter or supporting documents to help bolster your application;
Submit everything via email to this email address: [email protected]. To be safe, also consider sending the application to the email address that was published in the guidance note ([email protected]), but is not on the exemptions page on the regulator’s website.

What follows after you have submitted your exemption application?

The regulator will get back to you to acknowledge receipt of your exemption application. They will then assess your application and ask for any additional information or clarification. After that, they may either approve or reject your application. On approving your application, they would publish a notice in the Government Gazette.

Please note, though, that being granted a POPIA exemption does not mean that you stop having to comply with anything in POPIA. There is a good chance that while the regulator may approve your application, they may also attach certain conditions that you have to comply with in order for your exemption status to continue. They may give you a list of minimum actions that you have to take to protect the personal information that you process, and comply with POPIA.

How we can help your non-profit

When the regulator approves your application, for example, but attaches extra conditions that your non-profit must comply with, Sicelo provides expert assistance based on many years of working with non-profits and understanding their legal issues. One example of how we are currently helping non-profits is with the workshop entitled “Top 10 data protection and contractual issues for non-profits,” which you should consider registering for and attending. Moving forward, we will be doing a number of these workshops for non-profits and we do not want you to miss out.

How a POPIA exemption can help your non-profit

What you may want to be exempt from

How to get a POPIA exemption

Formatting and submitting your application

What follows after you have submitted your exemption application?

How we can help your non-profit

Share This Story, Choose Your Platform!

Related Posts

POPIA compliance | Achieving your goal

Personal data deletion rights: Navigating your responsibilities

How do I comply with POPI or POPIA?

Rules for the processing of health information or sex life

Advanced Computer Software Group enforcement action | Ransomware