POPI compliance essentials for small and micro enterprises in SA
Big changes are on the cards for South African businesses with the enforcement of the Protection of Personal Information (POPI) Act. POPI (or POPIA) is South Africa’s equivalent of the European Union’s General Data Protection Regulation (GDPR) which outlines conditions for parties to lawfully process personal information.
The Act came into effect in July 2020 and businesses were given 12 months to comply before the enforcement deadline of July 1 2021. Which means that if you haven’t already done so, you need to get compliant quickly. We know that many small businesses and micro enterprises have been hesitant to get on board with POPI because the requirements are difficult to interpret and there is a lot of contradictory information out there. Most of the information is focused at medium to large companies who are able to get lawyers and POPI specialists working on the matter. But that leaves us smaller guys trying to figure things out for ourselves.
So this article aims to clarify the minimum steps for small and micro enterprises (e.g., sole traders, mom-and-pop businesses, guest houses, small agencies and individual professionals) with very simple information gathering processes. By simple, I mean you have a website contact form that collects names and email addresses or you have a small website store where payment processing is done by a larger company (e.g. Paypal). You do not collect and process detailed financial or personal information from clients, for example, to sell insurance. If you are in this league, I recommend you get specialised advice (try InfoSecEnforcer or Michalsons).
Disclaimer: Please note that we are not lawyers and are not giving legal advice – we are only conveying our understanding of the implications of POPI and steps you can take to generally be in line with the Act. If in doubt, seek specialist guidance.
This article on POPIA is in two parts. The first (where you are now) introduces POPI and outlines some of the changes you will need to make in your business. Part 2 covers what you need to do on your website to make it compliant.
POPI is essentially about three things:
- Respecting privacy rights
- Protecting personal data
- Processing data lawfully
Implementing the POPI requirements in these three areas might require changes in how you run your business and market your services. Some of the implications are discussed below:
1 Respecting privacy rights
This means that as a business owner, you need to respect the privacy of your clients’ information. You may not sell that information or give it to anyone else. You may also not buy leads from data brokers. The only leads you may work with are those where you can show that people have opted into receiving messages from you.
One area where this can affect small businesses is in the common practice of subscribing people to an email newsletter when they fill in a contact form on your website. This is no longer allowed as the visitor has not given you permission to subscribe them to a list. The way around this is to use a contact form that has a checkbox that people must click to give explicit consent to be subscribed to your list. Or have a separate subscription form on your site. And always make sure that your newsletters are sent using a service where recipients can unsubscribe automatically at any time (e.g., Mailchimp, SendInBlue, Aweber). These services will also retain information on when the person subscribed to your list so you can respond to anyone who asks how they got on your list. You should also use a service like this when sending general communications to your existing clients – always give them the option to unsubscribe.
If you automatically subscribed your existing clients to general notifications from you, it is a good idea to ask them permission to continue sending them updates. In your next email to clients you can explicitly invite them to unsubscribe from further communications if they no longer want to hear from you.
2. Protecting personal data
POPI requires you to take steps to protect your company data and the data of your clients. The Information Regulator needs to be informed of any data breach or theft. For instance, if a laptop is stolen and it contains client data, you need to inform the Regulator. You also have to tell them if your computers or website are hacked and any data is exposed. For this reason, we recommend you protect all computers with strong internet security software that protects against viruses, phishing and ransom attacks (i.e. not just antivirus software but total internet security).
Protecting personal data also means that you back up that data so it cannot be lost by theft, fire or ransom attacks. Online backup is relatively cheap and you may even have some available already. For instance, if you use Microsoft Office, you get at least 1TB of data backup space for each user. Dropbox is another popular backup solution. Just make sure your computers are password-protected so if they are stolen, the thieves can’t access your online backups.
And speaking of passwords – don’t just keep your passwords in a document on your computer. If you lose the computer, you will expose the passwords and infringe POPIA. Instead, consider using secure password vaults like Lastpass (lastpass.com) or the vaults offered by your internet security software (e.g. Kaspersky Password Manager).
3. Processing data lawfully
This means, among other things, that you should only collect the minimum information necessary to perform the service and that the information you collect is relevant to that service. Don’t ask people for their medical history if you are selling knitted jerseys.
Who administers and enforces POPIA?
POPIA is enforced and administered by the office of the Information Regulator. The Regulator reports to Parliament and has extensive powers to investigate and fine responsible parties. Data subjects (that’s you and me) can lodge complaints with the Regulator over data misuse.
Registering an information officer for your business
POPIA requires that all businesses appoint an information officer and a deputy who will be responsible for ensuring compliance with the Act. The information officer must be a senior member of the organisation. Read more about the role of the information officer.
NB – you need to register the information officer with the Information Regulator. You can do this using the Regulator’s online portal: https://www.justice.gov.za/inforeg/portal.html
(At the time of writing this, the portal is often offline and the Regulator has extended the deadline for registration)
POPI and PAIA
POPI works together with the Protection of Access to Information Act (PAIA). It adds new requirements for PAIA manuals. At present, few seem to be absolutely sure on what this entails or even if you need a PAIA manual – small businesses seem to be exempt. Read this for a more legally sound opinion on PAIA and POPI.
Consequences of non-compliance
Failure to comply with POPI can expose you to huge fines and even a prison sentence. But it’s important to put this in context – the intention of the Information Regulator is not to bring out the big guns for every minor infringement of the Act. These heavy censures are for businesses that willfully disregard the Act and actively market in ways that infringe on people’s right to data privacy. If you are responsible with your data collection and communicate helpfully with anyone who requests deletion of their information, you should easily be able to stay on the safe side of the law. In practice, the Regulator is not going to go out looking for infringements, it will simply act on complaints raised by members of the public. So at the very least, don’t do anything that irritates people so much they are driven to lodge a complaint.
In the end, POPI can be seen as a very positive move that will help to curb internet crime and protect our own information from misuse by spammers and call centres.
Continue reading Part 2 of this article for an outline of what you need to do on your website to make it POPI compliant.