Companies collecting, storing and processing personal information in South Africa, are regulated by the European General Data Protection Regulation of 2016 (GDPR), in as far as they manage personal information of EU citizens, by the South African Protection of Personal Information Act of 2013 (POPI) and Promotion of Access to Information Act, 2000 (PAIA, which was severely amended by POPI). In South Africa, an Information Regulator has been established to oversee compliance with POPI.
Both POPI and GDPR introduce similar core principles for managing personal information, which is information by which a particular natural or juristic person can be identified, and includes race, sex, gender, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, birth, education, medical, financial, criminal or employment history, e-mail address, physical address, telephone number, location information, biometric information, personal opinions and private correspondence, and of course the name. These principles are as follows.
First, the law tells us who is legally held responsible for the protection of personal data. Now that this is clear, there’s no more passing the buck on that one. Secondly, processing of personal data relies on consent that has been received directly from the person whose data is being processed. The scope of the processing is determined and limited by that initial consent. Third, the purpose of the processing must be clearly defined. Four, before personal information can be further processed, consent must be received for that further processing. Five, the information must be up-to-date and accurate. Six, transparency! One must be informed when personal data is being processed, and informed on its purpose, destination and on who will have access. Data controllers must at all times be able to provide evidence of administrative measures to safeguard transparence. Seven, security! Data controllers must do everything in their control to safeguard the information. Should a security breach occur, data subjects affected by the breach must be notified without delay (GDPR states “within 72 hours”) Eight, data subject participation. Every data subject has the right to access, request a correction or deletion and object to the processing of personal information. This means that data controllers need to provide the personal information they have stored and a list of people that have access to this information at the data subject’s request, as per the data controller’s PAIA manual.
With reference to direct marketing, the most fundamental change that is introduced by Chapter 8 of POPI, is the principle of prior consent, or “opt-in”. Approaching anyone that is not already a customer with unsolicited marketing messages, is simply prohibited. A marketer may approach such a person once to ask for consent. When it comes to existing customers, POPI stipulates an “opt-out” approach – the recipient must have the option to unsubscribe.