Page 18 - Waterfall Issue 5 2021
P. 18
Waterfall Guest column
POPI Act 101
Guest Column written by Wendy Tembedza, Senior Associate at Webber Wentzel
W ith the 1 July 2021 commencement date of
the Protection of Personal Information Act 4
of 2013 (POPI) fast approaching, businesses
should be reviewing their use of personal
information to determine if it complies with the Act.
It is important to understand that any business that has
employees, customers and suppliers must comply with POPI
when dealing with personal information. Below are a few tips
on ways businesses can kick-start their compliance exercise.
fIGure Out WHAt PersOnAl
InfOrMAtIOn YOu PrOcess And WHY
under POPI, a business must be able to justify why it
holds personal information, based on one of the several
justifications set out in POPI. This is a good opportunity
for a business to assess what information it collects
(whether from employees, customers, service providers
or other third parties such as credit bureaus) and review
whether that information is actually necessary for the
purposes for which it was collected. In this regard,
minimality is key – a business should not collect more Wendy Tembedza, Senior Associate at Webber Wentzel
personal information than is required. Importantly,
the term ‘personal information’ is defined very broadly
to mean any information that can be used to identify lOOK At securItY
an individual person or another business entity. Correct management of personal information means
appropriate security must be in place to protect it.
Get rId Of WHAt YOu dOn’t need POPI requires a business to put in place “appropriate,
under POPI, a business cannot keep a record of personal reasonable technical and organisational measures” to
information once the reason for which it was collected no prevent loss, theft or damage to personal information.
longer exists, unless required by law. For example, unless The suitability of security measures will depend on the
required by law, a business should not keep personal business and the type of personal information it holds.
information of any former supplier when the relationship
has ended. Businesses should therefore check whether they MArKetInG
are holding onto any old records of personal information Opt-out marketing emails and SMSes are a thing of the
that they no longer need and dispose of them in a secure past under POPI. unless a person is an existing customer,
manner. It is important to note that more data means a business cannot send him or her marketing emails or
more risk and it is best to purge what is not required. SMSes without first getting consent from the person. Any
request for marketing consent must include language
that is set out in Regulations to POPI. Businesses should
therefore review their direct marketing practices.
This is a good opportunity for a
business to assess what information GO fOr tHe eAsY WIns
it collects and review whether that POPI compliance may seem like a daunting task but there
are some ‘easy wins’ when it comes to compliance. Basic
information is actually necessary. documents used by the business will likely need updating
for POPI compliance. These include company privacy policies
and employee and supplier contracts. All of these documents
should aid the business in proving its compliance with POPI.
•
16 Waterfall Issue 5 2021
