POPIA: Things to bear in mind

The Protection of Personal Information Act (POPIA) aims to protect your personal information.

The act has a name for you: a data subject, which refers to customers or people on an email database, as one example. This is important for any organisation or small business that processes personal information (processing is defined as look at, collect, transfer, store, back up etc.). The act views personal information as names, email addresses, physical addresses, gender and much more.

The act came into effect on 1 July 2021.

There are a couple of basic elements to the law:

 – As a small business/organisation, you must ensure the conditions for lawful processing.

– Don’t show anyone your info (offline or online), don’t leak it and don’t let it be stolen.

– Collect as little info as you can.

– There must be a reason for processing the information.

– Know what information you have and where it’s stored.

When you’ll get in trouble with the law:

– If your phone or laptop is stolen, and there is any personal info on there AND you haven’t taken any steps to protect the information.

– Or if a data subject complains that you have in any way shared their information.

What to do to be compliant?

– Prevent any data breaches (online AND offline – in other words, protect not only your computer using anti-virus software, but also ensure personal information in your office is stored and can’t be viewed).

– Report stolen laptops, mobile etc. to the Information Regulator.

– If it’s stolen, tell the Information Regulator what personal info was on the device.

What trouble could you get into? 

At the absolute worst case, up to 10 years in jail or a R10m fine, or both.

Your immediate steps

– Each small business/organisation must be registered with the Information Regulator BEFORE 1 February 2022.

– Each organisation must appoint an information officer who ensures compliance.

– Complete the compliance documents required.

– Sign contracts with your employees to ensure confidentiality of your information.

Security measures you could put in place:

• Encrypt your computer and phone (if you don’t, and your phone or computer is stolen, you have to inform the Information Regulator).
• Encrypt any invoices or other personal info you send.
• Ensure your passwords can’t be hacked (look at a password management system).
• Ensure your antivirus is up to date on your computer.
• Delete any old databases.
• Keep the personal info you have clean and accurate.
• Gather your old devices and wipe them.
• Don’t let external parties use your business wi-fi.
• Lock files (in your office) that contain personal info (including email addresses).

Other steps to take as soon as you can

– Get agreements in place that operators must sign PRIOR to accessing your info (operators could be your PC technicians who work on your computer, payroll teams you work with, accountants etc.).

– Change your behaviour: Consider NOT forwarding, CC’ing or BCC’ing in emails. Don’t send files containing personal info via email (and if you do, encrypt it).

– Start tracking when and how you process data.

This is an extremely simplified summary of a complex act, so it’s worthwhile spending time understanding the act and your responsibilities as a small business or organisation, or chatting to your lawyer to ensure your protection measures are in place.

Find more about the act here: www.popia.co.za.

Heather is our content writer. She enjoys helping our clients formulate their message and loves to run her way across beautiful mountains, to explore new places and is always ready for an adventure.

Email: hello@lovegreen.co.za | Phone: 072 8848 468

HOME  |  WHAT WE DO  |  DIGITAL MARKETING  |  OFF-LINE COMMUNICATIONS  |  MEDIA MANAGEMENT