POPIA Meaning 

The Protection of Personal Information Act (POPIA) is South Africa’s data protection law. When it was passed on July 1st, 2021, POPIA brought South Africa’s data protection standards on par with the EU’s General Data Protection Regulation (GDPR), a law which has shaped global norms and values since its debut in 2016.  

The Protection of Personal Information Act (POPIA) has been legally enforceable since July 1st, 2021. Small local businesses and large multinationals must all ensure their regulatory compliance with POPIA if they wish to avoid harsh penalties for non-compliance.  

Purpose of POPIA 

As outlined by the official government gazette, the two primary functions of POPIA are to… 

“Promote the protection of personal information processed by public and private bodies; to introduce certain conditions to establish minimum requirements for the processing of personal information.”

The Act is enforced by the Information Regulator, which is “empowered to monitor and enforce compliance by public and private bodies with the provisions of the POPIA Act.”

POPIA Compliance Requirements 

POPIA outlines eight conditions under which personal information may be legally gathered and processed.

• Accountability: the business must delegate a responsible party who will be held accountable for any failings relating to POPIA – the CEO will assume this role by default. Additionally, the business must create policies and procedures to ensure constant POPIA compliance.
• Processing Limitation: personal information must be processed in accordance with the law and only with the consent of the data subject. Any personal information gained from any source, such as directly from the data subject or from a third party, must be gained and processed with the explicit consent of the data subject.
• Purpose Specific: personal information can only be processed for the reasons that a data subject’s consent originally granted. For example, if a data subject grants permission for their personal data to be used for medical purposes, that information cannot be sold to advertisers. Additionally, personal data must be destroyed once it has served its purpose or after an agreed-upon timeframe.
• Further Processing Limitation: personal data cannot be reprocessed or processed for a secondary purpose unless that purpose is compatible with the original purpose for which it was collected. If this is done, the data subject has to be consenting.
• Information Quality: a business must take reasonable steps to ensure that a data subject’s information is complete, accurate and up to date.
• Openness: the data subject must always be aware that you are collecting their data and for what purpose that information will be used. The business must be able to prove that a data subject was made fully aware and that their explicit consent was obtained before any of their data can be gathered or processed.
• Security Safeguards: a business must ensure that all its data is properly stored and processed so as to protect against the risk of loss, unlawful access, interference and modification or unauthorized destruction, disclosure and distribution.
• Data Subject Participation: data subjects may always request knowledge of where and how their data is being stored. Data subjects also retain the right to request the immediate correction or deletion of any personal data.  

Data Security Under POPIA

Regarding security safeguards – namely properly storing and processing data so as to protect against the risk of loss, unlawful access, interference and modification or unauthorized destruction, disclosure and distribution – POPIA requires there to be reasonable precautions present to protect against “reasonably foreseeable risks”.

This means that a business should be able to make a defendable legal case against the regulator and avoid severe penalties in the event of falling victim to a major, highly advanced cyber-attack, with certain precautions in place. 

Notably, businesses cannot afford to omit “menial data” such as the emails and messages which are found on employee laptops and hard drives. Although this data is easily overlooked, businesses have a legal obligation to protect such commonplace data; failure to do so could result in serious penalties.

Special Personal Information Definition 

Under Section 2.2 of a guidance document, the Information Regulator defines “special personal information” as information pertaining to a person’s 

Religious beliefs; philosophical belief; race, ethnic origin; trade union membership; political persuasion; health; sex life; biometric information; the criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence; or any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.” 

The prohibition on processing this information is only lifted in certain specific circumstances, such as obtaining an individual’s explicit consent to do so. 

Fines for Non-Compliance 

Consequences include fines totalling R10 million and prison sentences of up to 10 years for complete breach of the Act, while minor offences are punishable with a fine and a prison sentence of a maximum of 12 months.

However, some sectors are exempt from POPIA compliance. These include South Africa’s parliament and the judicial system, as well as information that is for purely personal or household activities, journalistic, literary or artistic purposes. 

China Wants to Shape Global Norms for Data Privacy and Data Protection 

The complex regulations for cross-border data transfers can seriously constrain or promote business. Therefore, developing global standards that protect personal information but minimize compliance obligations is an objective worth pursuing. 

The GDPR already governs personal information for all EU member states, but China wants to take this concept further. Article 12 of the PIPL clearly states China’s ambition to shape global standards for personal information protection legislation. 

To understand the differences between South Africa’s POPIA and China’s PIPL laws, as well as gain an insight into the potential future of data privacy legislation, read our analysis here. 

Why POPIA Is So Important – Fostering Trust and Economic Growth 

Trust – understood as “our willingness to be vulnerable to the actions of others because we believe they have good intentions and will behave well towards us” – has been repeatedly undermined by companies and governments mismanaging and abusing personal information. Although due to many variables in addition to the abuse of personal information, the decay of trust is rife: we are more suspicious of businesses, government, and each other than ever before,  and the share of the global population that felt like most people could be trusted has fallen by 20% over the last 15 years. 

Laws that govern the protection of personal information – such as POPIA, the GDPR and China’s PIPL – are essential for restoring this trust. In an interview with Deloitte,  the director of MIT’s Connection Science laboratory Sandy Pentland explained the value of transparency when dealing with personal information.

“I’m going to deliver this service to you, and then without really making it clear, we’re going to sell your data on the side. That’s a violation of trust. A consequence is that if I don’t understand your business model and what you are offering me and what the value is to you, I can’t trust you. It’s that transparency in value, the relationship, and the motivations that are often left on the floor” –Sandy Pentland, MIT. 

The legal requirement for the acquisition of data subject consent empowers individuals to make informed decisions about how and when their personal information is collected and processed. This fosters an environment in which consumers can trust that businesses will not abuse their personal information once it is collected. This is invaluable because countries in which businesses, governments and other institutions engender more trust experience stronger per capita real GDP growth. Macroeconomics has shown that as trust improves, economic prosperity grows.  

The Value of KYC, Enhanced Due Diligence and Identity Verification Services

It is clear how vital it is to rebuild the trust we have lost. However, it is naïve to simply ask people to trust one another. The risk of loss is too high. Trust must be rebuilt on verifiable identities that can offer peace of mind by affirming the integrity of those we do business with.  

As South Africa’s leading provider of world-class due diligence and remote-onboarding solutions, ThisIsMe is proud to be at the forefront of a trust-based and privacy-compliant digital world. To experience our full suite of advanced due diligence services, book a demonstration by contacting our team here.