POPIA compliance: Safeguarding Data Privacy in South Africa

29 January 2024 ,  Armand VermeulenDr Damian Viviers 575
Every year, January 28th marks World Data Privacy Day, celebrated globally to emphasise the critical need for privacy, particularly in recent times characterised by a continuously shrinking, interconnected, and intelligent digital global community, where there are almost constant flows of data and personal information in all aspects of life

‘Privacy’ essentially entails that each person should have the ability to decide on the use of their personal information, what they want to do with it and when and how it is shared. The constant evolution of technology and its continued sophistication means that the flow of information and processing of data continues to gain focus, as a fundamental cornerstone of this evolutionary process. This in turn continues to enhance the risk to people’s privacy, which needs to be protected.

In South Africa, every person’s right to privacy is enshrined in the Constitution, from which flows the Protection of Personal Information Act (“POPIA”), aimed at safeguarding this right, which regulates when and how personal information is used. Compliance with POPIA is not just a recommended practice, but a legal obligation that businesses must prioritise, if they wish to avoid sanctions, as well as potential financial and reputational harm.

POPIA places explicit responsibilities on businesses that obtain and process personal information in some form or another. Since almost every business process personal information, whether it is related to other businesses, their clients/customers, employees, contractors, or other stakeholders, they are required to comply with POPIA. Failure to do so could result in facing severe sanctions.

These responsibilities, in terms of POPIA, mandate strict adherence to, for example, data accuracy and security, obtaining consent from parties before collecting and processing their personal information, and ensuring any third parties to whom such information is passed on to also remain POPIA compliant, just to name a few.

In order to enforce compliance with POPIA, and more specifically the obligation of data security, the Information Regulator has recently ramped up the frequency of assessments, audits and investigations and has started issuing severe fines for non-compliance with POPIA.

These sanctions imposed serve as a stark reminder of the legal consequences businesses may face where they fail to adhere to POPIA penalties and fines of up to R10 million and/or imprisonment up to 10 years in extreme cases are all ramifications that may give rise for non-compliance, as well as the possibility of being sued by data subjects whose rights have been infringed.

The recent increase in the number and frequency of assessments also indicates the Information Regulator’s commitment to its mandate, signaling that businesses will need to proactively adapt their practices to align with the evolving regulatory landscape in order to avoid legal repercussions.

A recent fine issued by the Information Regulator in 2023, totaling R5 million, illustrates, among other things, that businesses are required to focus on executing and updating stringent data collection and protection (POPIA) policies, consulting relevant experts for advice, implementing and maintaining up-to-date secure IT systems, appointing information officers, and ensuring that employees receive training regarding the relevant policies and their implementation.

If your business has not yet taken the steps to ensure its compliance with POPIA, or if you are uncertain whether your business’ current policies, procedures, and systems are adequately in place and sufficient, we strongly advise that you seek legal advice from POPIA specialist attorneys. This will help ensure that your business has the correct POPIA framework in place.

Disclaimer: This article is the personal opinion/view of the author(s) and is not necessarily that of the firm. The content is provided for information only and should not be seen as an exact or complete exposition of the law. Accordingly, no reliance should be placed on the content for any reason whatsoever and no action should be taken on the basis thereof unless its application and accuracy have been confirmed by a legal advisor. The firm and author(s) cannot be held liable for any prejudice or damage resulting from action taken on the basis of this content without further written confirmation by the author(s).
Related Sectors: Security, Technology