The POPI Act’s aims is to:

• Promote the protection of personal information processed by public and private bodies.
• Introduce certain conditions to establish minimum requirements for the processing of personal information.
• Provide for the establishment of an Information Regulator to exercise certain powers and to perform certain duties and functions in terms of both this Act as well as the Promotion of Access to Information Act, 2000.
• Provide for the issuing of codes of conduct.
• Provide for the rights of persons regarding unsolicited electronic communications and automated decision making.
• Regulate the flow of personal information across the borders of the Republic; and
• Provide for matters connected therewith.

If you hold any of the types of data mentioned below then you need the individual’s permission to have possession of it.

• Gender, race, marital status, nationality, sex, mental health, religion, belief, language, etc.
• Education or financial, criminal, medical and employment history.
• Biometrics, including physical, behaviour and/or physiological characterisations (DNA analysis, retinal scanning, blood type, etc.)
• Email address, telephone number, location information, online identifier, etc.
• Correspondence of a private nature.
• Opinions or views that another person has relating to the individual.
• The individual’s name, if disclosure of the name would lead to the revealing of information about the individual.

• Any public or private body, or any other person which, unaided or in combination with others, regulates the purpose of and means for processing personal information (Responsible Party).
• The ‘Responsible Party’ of every company is accountable for ensuring and enforcing its own compliance.
• Any person who processes personal information for a Responsible Party in terms of a mandate or agreement, without coming under the direct authority of the Responsible Party.

• If you act recklessly with this information, you not only face regulatory sanctions, but you also run an actual risk of damaging client relationships and overall business reputation.
• Non-compliance may have far-reaching consequences and could expose the Responsible Party to a penalty or fine of R10 million and/or imprisonment of 12 months up to 10 years.

• There are no legal requirements for a formal qualification to be obtained by the information Officer, but larger organisations tend to use someone with legal qualifications.
• The Information Officer can be a full-time or part-time role, depending on the company’s size and requirements.

• Yes.
• Notifications need to be done currently before the deadline on 01 July 2021 and afterwards.
• Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Regulator (section 22).
• Any number of breaches requires a notification to the Regulator, including just one minor breach.

If data on a device is encrypted then the theft of the device does not need to be notified to the Regulator, but without encryption a cell phone, tablet, laptop, or computer theft needs to be registered with the Regulator.

• The aim is to have it up and running by the 30 June 2021. This gives responsible companies and data owners plenty of time to train staff and be compliant before that date.

In a nutshell it is all about taking special care of the personal information that is entrusted to you by your customers and prospective customers.