In our Compliance Unit at STBB, I resist alarmist communication to business owners regarding their POPI or POPIA (the Protection of Personal Information Act) compliance obligations. It is indeed the large proverbial elephant that must be served and digested before 1 June 2021, but it is relatively easily achievable if the business management has the right mindset, a healthy POPI appetite. This is best achieved by knowledge and understanding of the requirements of POPIA, rather than fuelled by threats of financial penalties and reputational damage.
In this month (November 2020), our Compliance Unit will publish four weekly notes to demystify some misconceptions that we encounter in our dealings with clients, and our weekly blog will elaborate on the titles. The four topics are:
- Complying with POPI is a big business worry only
- Step up IT security to comply with POPIA
- One-size-fits-all bundles are okay to achieve POPI compliance
- POPI is unnecessary red tape and another way for government to get at businesses
Our Thought of the Week on 3 November addressed the first topic, so let’s elaborate thereon.
COMPLYING WITH POPIA IS A REQUIREMENT FOR MOST BUSINESSES, NO MATTER THEIR SIZE: HOW?
The reason why the vast majority of businesses will need to comply with POPIA is because they collect and process personal information of ‘data subjects’ for some or other function of the business. Viewed against a POPIA background, the latter makes up a big chunk of the elephant to digest. I say this because the words used in the Act are defined to stretch wide:
- ‘Data subjects’ are living human beings as well as entities, such as companies, close corporations and trusts.
- ‘Processing’ of information includes almost any activity with personal information, for example, where the business collects personal information from a client, customer, employee or service/goods provider to the business, and uses it to issue an invoice or receipt, create a client ledger, to perform a service for the client, to provide a reference for a previous employee, and so forth. The information is typically recorded on paper, or in a computer, stored for a given period, and later deleted or destroyed. Each of the underlined activities constitutes ‘processing’ of personal information. In the industry, one often explains to clients that processing’ of personal information refers to the whole lifecycle of the information in the hands of the business.
- ‘Personal information’, in turn, is defined to include any piece of information imaginable as long as it relates ‘to an identifiable, living natural person, and where it is applicable, an identifiable, existing juristic person’.
Thus no matter the size of the particular business, as soon as personal information of clients, employees and service providers are ‘processed’, compliance with POPIA is required. It is likely to be applicable to 99,9% of businesses: book shops, restaurants, hairdressers, furniture shops, online sales platforms, consulting services, accounting services, second-hand goods shops, attorney firms, estate agents, engineering firms, schools, homeowners’ associations, coffee shops, laundromats, training colleges, printing businesses, libraries – it is a long and varied list.
Contact writer should you have enquiries or need information on complying with POPIA at firstname.lastname@example.org