What is POPI? How Do You Protect Your Business


4th Industrial Revolution, Digital Transformation, Cloud – in every day-to-day business we seem to have these massive buzz words that everyone is talking about but does not necessarily understand or understand its impact on the business.  Our next one is…. POPI.  What is POPI?  In the past, when you went to your new favorite store and completed a credit application form, you handed over personal information. A few months later the calls start for insurance quotes or the 7th cellphone package and you wonder how you got to onto some marketing calling list.

Recovery is Costly and Damaging

Businesses would sell these data lists and there was limited authority for you to control who had your information and how they got it.  Enter POPI.  Data breaches can cost businesses millions to rectify, cause extreme consequences, losses and there could be reputational damages too. Recovery from a breach can have massive cost implications, such as staff costs to resolve the breach and it can take a long period of time to get to a resolution.

POPI is about the protection of personal information, how companies must handle, store, and delete the data.  It is about protection against abuse. It is about changing mindsets – it is no longer about the default being you are opted in regardless of if they have your consent – you had to opt-out. POPI now makes it that an opt-in is compulsory – you need consent but more importantly, you need informed consent. Companies will now have to explain exactly what data they will be collecting and what they intend to do with it.

What is Covered? Personal Information is:

  1. Information that describes you – race, gender, nationality, physical health, language to religion.
  2. Information about you – education, medical, financial.
  3. Details about you – ID, address, email, and telephone number.
  4. Your opinions.
  5. Your correspondence that is of a private nature.

3 Reasons You Know You Have Data to Protect

  1. You collect it, receive it, record it or store it.
  2. You disseminate it.
  3. You merge, link, or destroy information.

At the Heart of it, there are 8 Conditions that you Must Comply with:

  1. Accountability – The business is responsible for the data from processing until the time of deletion.
  2. Processing Limitation – The business can only collect the minimum information required and informed consent is essential.
  3. Purpose Specifications – Information must be collected for a lawful purpose and deleted once that purpose is done.
  4. Further Processing Limitation – Data cannot be used for a secondary purpose and cannot be transferred to a 3rd party.
  5. Information Quality – Data should be accurate and not misleading.
  6. Openness – Business must explain why the data is needed and where it will be used.
  7. Security Safeguards – The business needs to ensure the confidentiality of the data.
  8. Data Subject Participation – The owner of the data has a say in the processing of the data.

These are wide definitions, which means it applies to the majority of business. If you have employees, suppliers, customers – you need to comply. So, what does your POPI Compliance journey mean:

  1. Appoint an information officer.
  2. Create awareness and provide training. Training must cover POPI but also ensure that the business and your employees are privacy-aware.
  3. Conduct a gap and impact assessment. Identify the main POPI compliance gaps, then start identifying what needs to be done in your business to start becoming POPI compliant.
  4. Develop a compliance framework with processes and policies.
  5. Implement your framework and monitor it.

Critical Planning

Critical in your planning is to understand security from the network to hosting to support. Reporting will be a key element in the monitoring process.

From a legal perspective, contracts need to be reviewed to ensure that they cover all the necessary items around POPI.  From definitions of data subjects, data processors, data operators, and how the data will be handled, processed, and deleted.  When reviewing a contract is critical that:

  • Both parties have the capacity to enter into the agreement.
  • Applicable laws have been considered and reviewed.
  • Obligations have clearly been defined.
  • Termination rights are clear.
  • Dates are included.
  • All POPI obligations are clearly laid out and defined.

The good news is that businesses have 1 year to fully comply with the commencement date of the Act.

The nuts and bolts of it are that businesses really need to have a strategic plan around data and what they use it for. Benefits should include cost reductions in less data being kept so storage-saving should be seen.  In addition, the Act aims to increase transparency thus increasing trust with clients. POPI provides the opportunity for businesses to understand their environments, have more controls in place, and thus lower potential cyber breaches or their impact. With the focus on Data-Driven businesses, improved data management brings efficiency and effectiveness to the business.