How compliant is my business? Questionnaire

    *1. Do you keep record of the personal information of clients and staff that you hold??


    • Personal information is data that can be used to identify a person or an entity.

    • POPI lists the following as examples: race, gender, sex, pregnancy; marital status; national/ethnic/social origin; colour;
      sexual orientation; age; physical or mental health; disability; religion/beliefs/culture; language;
      educational/medical/financial/criminal or employment history; ID number; email address; physical address; telephone number
      location; biometric information; personal opinions, views or preferences.

    • Do your records show the type of data you have, such as names and email addresses?

    • To become compliant with POPI, you need to do a PI (personal information) audit. In other words, you must look at your
      business and think about what information you collect and receive, how it is stored (eg, on paper, or electronically on
      computers laptops and cellphones), when and how you share the PI (for example, when you send a client’s ID to a third party).

    *2. Do you have a record of how you obtained the data, what you do with it and why you collected it?


    • The reason why you collect and keep personal information must align with the eight conditions for lawful processing (using, collecting it) listed in POPI, one of which requires that the data subject (individual or company involved) should personally provide the information to you (where possible), must be informed why the information is required and what you will do with it.

    • You must therefore be able to show how you gathered the data (such as on paper forms or through your website or directly from the client), why you have the data (for example, for marketing purposes), how long you’ve had the data for and/or how long you will keep it.

    • In most instances you need the client’s informed consent to ask for and retain his or her personal information.

    • Audit your processes used to obtain, record, store, disseminate and ultimately destroy the personal information.

    *3. Do you keep record of when and to whom you shared personal information of clients or staff to third parties?


    • Do you have a policy or rules about the sharing of data?

    • For example, if an electric installation inspector asks you for the contact details of a seller, purchaser or property manager (to perform an inspection at a home that was sold for purposes of issuing a Compliance Certificate), do you keep record thereof?
    • POPI grants the right to consumers (called ‘data subjects’, and they can be natural persons or entities) to make certain requests, free of charge, to organisations holding their personal information.

    • This may include details of whom their information was shared with and the data subject may ask for a record of the information that you hold.

    • Do you have data processing agreements in place for instances when information is shared with third-party service providers?

    *4. Do you know what is ‘special personal information’ and what your responsibilities in respect of this type of information are?


    • Section 26 of the POPI Act creates a special category of personal information called “special personal information”. This relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information. Also included in this category is information relating to the alleged commission of any offence or any proceedings in respect of any offence allegedly committed and the outcome of such proceedings.

    • Failure to obtain consent makes processing (ie, using the information) this special personal information strictly prohibited, unless

      1. i. it is necessary by law;
        ii. or is done for historical, statistical or research purposes;
        iii. or the information has been deliberately made public by the subject.
    • There are limited exceptions to the prohibition against the processing of “special personal information”.

    • Special rules apply to the processing of personal information of children.

    *5.Do you only collect the personal information that is needed for a specific purpose and retain it only as long as is necessary for that purpose?


    • Do you make sure people know the difference between information they need to provide and information that is optional?

    • Personal information may only be collected for a specific (lawful) purpose that is related to a function of activity of your business.

    For example (1):
    John has a garden services business. He collects his customers’ names and contact numbers in order to render his services at their homes. John would also like to collect his customers’ email addresses so he can email their bills instead of posting them through their front doors. As this is not necessary for him to carry out his services, he tells his customers that giving him this information is optional.

    If he were to use the information to commence marketing other services, then is falls foul of the Act, unless he obtained consent for other direct marketing. See also point 10 hereafter.

    For example (2):
    Peter’s business is providing an online subscription-based newsletter. He collects the name, email address and phone number of his subscribers, as well as their specific weekly, monthly or yearly order, and details of their payments.

    Peter creates a document that details what personal data he collects and how long he holds it (the retention period). At the end of the retention period, he securely destroys the data by shredding it. he does not hold onto details of subscribers when they cancel the subscription.

    He also annually checks the personal data he holds to make sure everything has been deleted at the end of its retention period.

    *6. Do you keep the personal information you obtained secure?



    • Do you employ a system using security software, with anti-virus installed, anti-spyware software, and a firewall?

    • Are passwords kept private?

    • Is the personal information data encrypted?

    • Are you and your staff wise about Wi-Fi?

    • Do you keep electronic data secure, say by encrypting mobile devices, using passwords and backing up the data?

    Physical records

    • Do you employ organisational security measures such as limiting access to personal information so that only those who need to have access, are granted access?

    • Do you keep personal information secure in your office, for example by using lockable filing cabinets and locking or logging off computers when away from your desk?

    • Do you safely dispose of personal information? (For example, if an extra copy of a client’s identity document is produced, do you bin it or do you shred it?)

    • Do you keep paper documents secure, for example by using lockable storage and disposing of paper records securely?

    *7. Do you have a way for people to exercise their rights regarding the personal information that you hold about them?


    • The data subject (individual or entity) has the following rights:

      1. i. The right to be informed – being told what data you hold about them and what you do with it.
        ii. The right of access – being able to request a copy of their data you hold.
        iii. The right to rectification – being able to have inaccurate data corrected.
        iv. The right to erasure – being able to ask you to delete / destroy their data (unless of course you are by law required to retain the records for a specific period).
        v. The right to restrict processing – being able to limit the amount or type of data used.
        vi. The right to object – being able to request you stop using their data.
    • Do you have plans in place so you can deal with any such requests?

    • Do you know that a request can be made in writing or verbally, in person or on the phone?

    *8. Do you and your staff (if you have any) know your data protection responsibilities?


    • Do you or will you provide training to employees on compliance with POPI?

    • How will the privacy policy (and other personal information protection measures) be communicated within your organisation and to external parties?

    • Do you transfer data outside of SA and does your policy provide for this?

    • Do you and your staff know what to do if something goes wrong, including a personal data breach? (A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This can happen, for example, when a file containing details of a client is left in a car and the car is broken into and the file stolen; or a laptop, cell phone or other device is stolen and the password is easily detected.)

    • Do you know which breaches to report to the Information Regulator?

    • Do you know which breaches you have to inform individuals of?

    *9. Have you appointed a Data Protection Officer?


    *10. Do you know the limitations that POPI imposes in respect of direct marketing?


    • Have you reviewed your marketing procedures and processes to determine compliance with POPI?

    • The Act impacts substantially on direct marketing — especially through SMS and email channels. Up until 30 June 2020, most of this form of marketing has been on an ‘opt-out’ basis, in other words consumers receive promotional messaging and can choose to no longer receive these messages.

    • With POPI in force, direct marketing has become ‘opt-in’, where consumers will have to actively agree to receive promotional messaging.

    • In essence this means that unsolicited direct marketing via electronic channels is allowed only where the recipient has opted in or where (i) the recipient is an existing consumer and has already given their personal information to the supplier in the context of a sale for the purpose of direct marketing; or (ii) the consumer "has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality".

    (*) Fields are required