In South Africa, legislation specifically aimed at striking a balance between free data flow and the right to privacy includes the Promotion of Access to Information Act, No 2 of 2000, best known as “PAIA”, and the Protection of Personal Information Act, No 4 of 2013, or “POPIA”, with its Regulations of 2018.
For a POPIA Summary, click here
For POPIA Tools, click here
How does this affect your business? POPIA applies to every company in South Africa that processes people’s (or other companies’) personal information. This can go from storing e-mails on your computer and processing members’ and customers’ details to sending out direct marketing messages. “Personal information” and “processing” get a very broad definition in POPIA. Under certain conditions (section 105 POPIA), non-compliance with POPIA’’s Chapter 3 may constitute a criminal offence.
What action needs to be taken, and when? Procedures, documents and people need to be in place to prove your company’s compliance with POPIA. Should it ever come to a complaint or dispute, your defence will rely on evidence of these measures, systems and remedies. Action is therefore required at two levels: at your company’s office, and on your website. POPIA provides a “grace period” of one year (section 114(1)). Full compliance with POPIA must be in effect one year after its commencement date, which was proclaimed on 22 June to be 1 July 2020.