Home /Our Insights /Home /Home
BOOK CONSULTATION SUBSCRIBE

Our Insights

Read More Insights

GO
GO
Filter: Data Protection
Your privacy is important to us

14 July 2021,  Jan Berry

We are compliant with POPIA and take your privacy and the protection of your personal information very seriously and are... committed to managing your personal information in accordance with POPIA so that you can continue to engage with us in confidence. 

READ MORE
1685
Article
Data breaches in terms of POPIA: what you need to know

16 April 2021,  André van Niekerk

Our consultancy business has quite a diverse client base. Over the weekend, the laptop of one of our employees was... stolen. The laptop contains personal information of our clients and it appears that it was not password protected making the data accessible. Will this be a data breach in terms of POPIA, and if so, what are we required to do?

READ MORE
2094
Article
POPIA deadline looming and regulations about to take effect

16 April 2021,  Dr Damian Viviers

I own a local store making custom items for our clients. Because of the nature of some of the client... requests I have to use other suppliers and have to share basic information about my clients with them. I am aware of POPIA and I understand that we need to comply including to new regulations that I understand have been issued. My question is to what extent and by when will I need to meet all these requirements?

READ MORE
2240
Article
5 reasons why POPIA is not a curse word

03 February 2021,  Dr Damian Viviers

POPIA has for years, and especially since coming into effect on 01 July 2020, attracted significant attention. While this legislation... does of course place new compliance obligations on businesses during a time of economic difficulty and uncertainty left in the wake of the COVID-19 pandemic, it is certainly not bad news, whether seen from a business or personal perspective. Here are five reasons why the coming into effect of POPIA is actually a really good thing:1. The flow of personal information is now better regulated – POPIA imposes new rules and accountability for how personal information may be used and shared.2. Data Security – POPIA requires that any entity in the possession of your personal information must take active measures to ensure that they keep your information safe and secure.3. Access to information – Any entity that is in possession of your personal information must at your request, provide confirmation that they do have such information and provide you with access to that information.4. Notification -  POPIA requires that if a business has experienced a data breach during which your personal information has been compromised or leaked they must inform you of any such breach and any measures they have taken in order to remedy the breach.5. Quality marketing – POPIA has changed the rules regarding electronic direct marketing and essentially requires businesses, of which you are not an existing client or customer, to obtain your consent before they can market their goods and services to you.Hence, five solid reasons not to view POPIA as a curse word - but rather as legislation that does in fact, make our world a better place. 

READ MORE
2116
Blog
2021: The year of POPIA

01 January 2021

The year 2021 is here, being the year that businesses will have to become POPIA compliant or face the risk... of being held accountable under the Protection of Personal Information Act 4 of 2013. It is therefore quite appropriate to prioritise POPIA compliance as one of your main New Year’s resolutions.  In the spirit of helping you ease into POPIA compliance, here are a few handy tips that can help you kickstart your POPIA compliance project:   Tip 1: Assemble a POPIA compliance project team Determine who will be the Information Officer and Deputy Information Officers for your business. The Information Officer is an individual within an entity or institution, who is charged with ensuring compliance with POPIA and being responsible for the governance, management and security of personal information. The default Information Officer will generally be the executive head of that entity or institution, as well as any person duly appointed by the Information Officer to perform his or her duties. After identifying the above individuals, consider adding the IT-person, HR, sales and legal to the POPIA compliance team to ensure that all bases of your business are covered, as these different departments may offer valuable insight on how POPIA should be implemented practically across the full spectrum of your business. Tip 2: Conduct a preliminary investigation Now that you have a task force assembled, get the POPIA compliance team to consider the following as a preliminary investigation aimed to establish how your business processes personal information:  What customer information does your business collect? Think about type and sensitivity, and whether it qualifies as personal information. How does your business store the customer information which you collect? Do you store everything online or in hard copy format? Where is the customer information stored and who has access thereto? Think about what information is accessed by all employees, what is limited to sales, HR versus the IT department or management. Is the information of customers transferred to any third-party operators? For example, for storage or destruction purposes? What employee information do you have and where do you store it? Who has access to employees HR files and to which third-parties is information shared (such as pension funds, medical aid, etc.)? What services providers does your business use and do they have access to your customer or employee information? How secure is the personal information which you store (think about physical barriers as well as technical security measures such as anti-virus programmes which you use)? Does your business engage in direct marketing and how is this done (electronically or by telephone/in person)? How is the personal information that your business collects and stores eventually destroyed? Is the method of destruction and/or deletion secure? Does your business sell any data that may contain personal information of others? Tip 3: Work out a budget Once you have an idea of what needs to happen and who will be on the POPIA compliance team for your business, you can get a better sense of how much outside help you will most likely need in order to become POPIA compliant.  Remember to include POPIA compliance in your annual budget planning. Ask a few service providers to send quotes to get the compliance process started Tip 4: Ask for help and approach experts Don’t be scared to approach legal and IT experts for assistance to become fully POPIA compliant as data and privacy protection is a specialised field. Most businesses will not have the necessary tools or knowledge to do everything themselves and this is okay. Specialists will be happy to assist you on gaining compliance. Tip 5: Review your current policies Get updated copies of all your policies which may involve elements related to the processing of information (think information security management, marketing or HR policies) and review them or have them reviewed by legal experts. Consider whether these policies contain anything relating to personal information and whether it adequately describes how such information will be protected or sets out measures to be taken in order to ensure that data is handled in a secure manner. If gaps are identified in certain policies, make a list for future reference in order to include in your POPIA compliance plan and which can policies can be updated and implemented over time. Tip 6: Draft a POPIA compliance plan and policy Plan on how to achieve POPIA compliance and incorporate it in a formal business plan. This plan should clearly set out how your business will aim to become POPIA compliant and have set deadlines to achieve identified goals. The ultimate aim is to develop an overarching POPIA policy  which sets out the implementation plan and how the business deals with the processing of personal information in a manner which is consistent with the provisions of POPIA from point of initial contact to destruction/deletion of such information. This is the year of POPIA, but it need not be daunting task if the right building blocks are put in place at the start. Don’t procrastinate until it’s too late – get the ball rolling this new year and kickstart your compliance project while there is still time to become compliant. Should you need help, we have a range of POPIA related solutions ranging from online training solutions to extensive POPIA compliance plans that can be tailored for your business’ needs and to assist you with your POPIA compliance.

READ MORE
2972
Blog
Can your ex-spouse circulate your private information?

10 November 2020

My ex-husband still has access to our shared cloud account. Unbeknown to me this meant he could see all my... back-ups of messages, photos and other personal information. Our divorce did not end well and he is now sharing private and personal information of me with third parties to embarrass me and to try and portray me as a bad parent. What can I do to stop him?

READ MORE
1847
Article
Consent and POPIA: what you should know

12 October 2020

In my business I receive and store personal information of my clientele. I have a sign-up form for my new... clients and was wondering whether I would be compliant with POPIA if I include a consent to process their information once-off in this form. Will this be sufficient for POPIA?

READ MORE
2199
Article
Data intensive businesses and POPIA

11 September 2020,  Dr Damian Viviers

My business processes and stores quite a large amount of information relating to our clients. We are well aware of... POPIA that has now come into effect and have been putting basic processes in place. However, I remain concerned that we are not doing enough/underestimating our obligations. What should I be preparing for?

READ MORE
1669
Article
The impact of POPIA on the property industry

25 August 2020

With the Protection of Personal Information Act 4 of 2013 (POPIA) that came into effect on 1 July 2020, it... is vital that the property industry also considers the impact and application of POPIA on themselves. Here I briefly explain what can be expected, with specific reference to Estate Agencies and conveyancing firms and their clients, with regards to the scope of consent as well as the storage and protection of personal information. These are challenging times for businesses in South Africa, because along with the economy slowly picking up pace for the first time since Covid-19 has struck, businesses who it applied to only have until 30 June 2021 to ensure that they comply with POPIA. POPIA aims to safeguard personal information, including the identity and proof of address documentation, of persons (known as Data Subjects, according to the Act) whose information is being collected, used, shared and destroyed (regarded as Process) by what is termed Responsible Parties. All businesses are now required to implement various processes to achieve this aim.Regarding consent, POPIA places an important responsibility on Responsible Parties such as Estate Agencies and conveyancing firms that process contact and identification details of Data Subjects. This means that you as the Responsible Party, can only obtain and use the personal information of Data Subjects with their consent. Consent extends to the identity and proof of address documentation obtained from both the seller and buyer of property, the Data Subjects.However, consent is not expressly needed in all cases, as the personal information referred to above can be shared with related parties, such as the bond registration attorney and the banks involved in a certain transfer, with the purpose of achieving the mandate of the Estate Agent and the Conveyancer, without the Data Subject’s consent. Moreover, it is important to remember that the personal information can only be stored until the mandate has been completed or for five years after the personal information has served its purpose, as industry practice suggests.Data Subjects may request, free of charge, from you that all original documents, including the title deed of the property, be returned to their respective and rightful owners once they have served their purpose. In as far as direct marketing is concerned, especially on the side of the Estate Agency, the Estate Agency may now only advertise its services or products (houses for sale) by way of unsolicited electronic communication such as SMS or electronic mail once the client has agreed thereto following a once-off “opt-in” request for express consent to allow the Estate Agency to use the client’s personal information for direct marketing purposes. This applies to both existing and new clients of the Estate Agency. The request should only inform the client of the services or products the Estate Agency would like to market to the client, and that their consent is required for them to receive it. However, the client should still be given the opportunity to “opt-out” of the direct marketing each time such marketing occurs. It's therefore advisable to draft or update your data privacy policy to deal with such required consent and access to personal information.As a Data Subject - which refers to the buyer or seller - the collection of your personal information should be obtained directly from you unless the information is derived from a public record or has deliberately been made public by you. For this reason, be careful what personal information you publish online as you may unintentionally be making your personal information ‘free-for-all’.In relation to obtaining consent, the practice currently being followed in the property industry by some conveyancing firms and Estate Agencies is the use of a POPI Declaration, by which the Data Subject is asked to consent, among other things, to the collection, storage and sharing of the personal information of the Data Subject with a FICA Accountable Institution that is a party to the transfer. Otherwise the Data Subject will, upon request, need to provide the necessary consent to each party. POPIA also places specific obligations on the Responsible Party that stores personal information. This is in order to protect the Data Subject from suffering damage or harm. POPIA also provides the Data Subject with remedies, should there be a breach by the Responsible Party of the obligations imposed on it by POPIA. These obligations extend to the distribution of personal information to third parties (identified by the Act, as Operators), who store or destroy such information on behalf a Responsible Party in terms of an agreement. This means that outsourcing personal information to an Operator for storage or destruction purposes does not absolve you from your obligations under POPIA. You will still be held responsible if the Operator compromises the personal information. That is why it is vital that a proper agreement is in place between the Responsible Party and the Operator in order to ensure that the Operator’s obligations regarding the storage and destruction of personal information are clearly stipulated in terms of POPIA. Furthermore, personal information should be adequately protected by the Responsible Parties, whether such information is stored digitally or in hard-copy format. This is to prevent the misuse of the information by third parties either for fraud, identity-theft or other unauthorised purposes. Estate Agencies and conveyancing firms should consider generally accepted data protection measures and procedures required in the property industry, including data encryption, installation of CCTV cameras, safes, firewalls and anti-virus software as well as password policies and secure file destruction protocols. It is also important to train employees on such measures and procedures on how to deal with data breaches as mandated by POPIA. Bear in mind that, as cumbersome as compliance may sound, the  the costs involved to comply with POPIA are far much less than those of non-compliance, as not complying may cost the Responsible Parties up to R10 million in fines and/or 10 years imprisonment. Although 12 months sounds like a long time to become compliant with POPIA, compliance does take time and you are advised to comply well before this grace period ends in 2021. Acquiescence will go a long way in building client-confidence in your business. It will also create business legitimacy and attract other businesses, local and abroad, that are willing to work with a compliant business such as yours!

READ MORE
3746
Blog
Don’t get caught with your POPIA pants around your ankles

17 August 2020

With all the Covid-19 happenings dominating the media lately, it nearly slipped through that some of the remaining provisions of... the Protection of Personal Information Act came into effect on 1 July 2020. Does this mean that all businesses must now comply?

READ MORE
1925
Article
Date announced: POPIA commences on 1 July 2020

23 June 2020

Don’t let this be a ticking time bomb for your business - get your affairs in order NOW before the... clock starts ticking on 1 July 2020.After what feels like an eternity of waiting for the Protection of Personal Information Act 4 of 2013 (“POPIA”) to come into force, we finally have a date which you can save on your digital business calendar as POPIA’s big day!President Cyril Ramaphosa has taken a brief break from handling all things COVID-19 related and announced that the majority of the Protection of Personal Information Act’s provisions will come into force on 01 July 2020.It is important to take note of the commencement date, since the one year grace period will start running from 01 July 2020 and end on 30 June 2021. This means that you and your business will soon have a mere 12 months to become compliant with the provisions of POPIA or risk facing penalties imposed by the Information Regulator, suffering reputational damage or even having legal action brought against you.For all those procrastinators out there, don’t make the mistake of thinking that 12 months is a long time and become complacent. The process to become compliant may be quite time-consuming and can take anything from a few months to a few years to get everything running smoothly! Ideally, businesses should aim to get their compliance procedures in place well before the grace period ends next year, in order to ensure that implementation of compliance procedures is as error-free as possible and leaving enough time to ensure compliance with POPIA and for employees to become familiar with their new obligations to ensure data protection.If that wasn’t enough to motivate you to take action, consider the severe penalties which may be imposed due to non-compliance with POPIA, as penalties may range from fines of up to R10 million and even a jail sentence of up to 10 years, depending on the seriousness of the breach. More than that, the Information Regulator may also engage in reputational damage, which may be devastating for your business at a time when economic circumstances are already challenging.We suggest you arrange a consultation with an attorney who specialises in information and data protection as soon as possible in order to develop a tailored POPIA compliance plan for your business on how to attain compliance with the Act. Should you need help, we have a range of POPIA related solutions ranging from online training solutions to extensive POPIA compliance plans that can be tailored for your business’ needs and to assist you with your POPIA compliance.Click here to check out some of our POPIA articles on our website, or contact us for an in-depth workshop or training seminar on POPIA, or even let us do a POPIA audit on your business to enable you to identify the areas that may need attention. 

READ MORE
4682
Blog
Data security under POPIA is important even for small businesses

12 February 2019

I’m the owner of a small advisory firm. A few days ago, one of my employees left his laptop in... the car during the weekend and it was stolen out of his car. I now hear that the IT guys forgot to have encryption activated on his laptop. With client information on the laptop I’m worried about whether I could be in breach of POPIA. Am I?

READ MORE
1327
Article

Subscribe to our newsletters

Stay up-to-date with the latest news, laws, and events.

SUBSCRIBE NOW