The Protection of Personal Information Act is South Africa’s data protection law. This is a summary or short explanation of why it is important, who it affects, what the timeline is, and what action you should take. This article also provides you with links to read more about the Protection of Personal Information Act.

Why do we need the Protection of Personal Information Act

Essentially, the purpose of the Protection of Personal Information Act is to protect people from harm by protecting their personal information. To stop their money being stolen, to stop their identity being stolen, and generally to protect their privacy, which is a fundamental human right.

To achieve this, the Protection of Personal Information Act sets conditions for when it is lawful for someone to process someone else’s personal information.

Who are the Role Players?

The Protection of Personal Information Act involves three parties (who can be natural or juristic persons):

  • The data subject: the person to whom the information relates.
  • The responsible party: the person who determines why and how to process. For example, profit companies, non-profit companies, governments, state agencies and people. Called controllers in other jurisdictions
  • The operator: a person who processes personal information on behalf of the responsible party. For example, an IT vendor. Called processors in other jurisdictions.

The Protection of Personal Information Act places various obligations on the responsible party, which is the body ultimately responsible for the lawful processing of personal information. Responsible parties should only use operators that can meet the requirements of lawful personal information processing prescribed by the Protection of Personal Information Act.

The Timeline

It will probably commence on 24 May 2017 and after a one-year grace period, it will be effective on 24 May 2018.

Who is affected

Any natural or juristic person who processes personal information, including large corporates and government. The data protection laws of many other countries exempt SMEs, but not currently in South Africa. Maybe the Information Regulator will exempt some natural person and SMEs from complying. Only time will tell in this regard.

Actions you can Take

  • Download a copy and read it.
  • Raise your awareness by attending a public workshop on the POPI Act.
  • Arrange for your own private in-house workshop on the POPI Act.
  • Join the Michalsons POPI Compliance Program.
  • Subscribe to our newsletter to stay up-to-date with the latest developments.
  • Enquire about how we can help with your specific requirement and we’ll give you a fixed price quote.

What steps you will have to take to comply?

Responsible parties will have to take various steps to comply. For example:

  1. Appoint an Information Officer
  2. Draft a Privacy Policy
  3. Raise awareness amongst all employees
  4. Amend contracts with operators
  5. Report data breaches to the regulator and data subjects
  6. Check that they can lawfully transfer personal information to other countries
  7. Only share personal information when they are lawfully able to.

What are the Penalties for Non-compliance?

There are essentially two legal penalties or consequences for the responsible party:

  1. A fine or imprisonment of between R1 million and R10 million or one to ten years in jail.
  2. Paying money to data subjects to compensate them for the damage they have suffers.

The other penalties include:

  • Reputation damage
  • Losing customers (and employees) and failing to attract new ones

But your main motivation for complying with the Protection of Personal Information Act should be to protect people from harm.