Article by Adams & Adams
The GDPR is an EU regulation. It does not have general effect in South Africa and is not a local law in this country. But, parties that process personal information in South Africa might still have to comply with the GDPR, because the GDPR does have so-called “extra-territorial application”. A person or entity in South Africa will need to comply with the GDPR’s requirements if they process personal information of someone based in the EU. But this will only be the case if the information is processed in relation to the offering of goods or services or the monitoring of behaviour that takes place in the EU. For example, you will need to comply with the GDPR if you sell products to people in the EU or if you have a website that tracks the behaviour of people in the EU by using cookies. Of course, it remains to be seen how the GDPR will actually be enforced against parties outside the EU.
Even though the GDPR might not apply to you, it is still a good time to start getting ready for POPI – South Africa’s own data protection law. POPI is based on the GDPR’s predecessor, the EU Data Protection Directive. There are also many similarities between POPI and the GDPR.
Why it is vital that companies practically understand POPI and the consequences of not doing so now.
It is important to do a high-level analysis of the personal information in your company before embarking on the POPI implementation journey. Companies should be doing this now and not waiting for the long-anticipated commencement date.
Organisations should have already started to identify the risk areas and be working on these. Alongside this activity, there should be a task team that takes on the responsibility for POPI compliance and readiness.
There are many misconceptions surrounding POPI. Many people do not even realise that POPI is not yet properly in force. Organisations need to understand when POPI will apply to them, and when not. If they understand how POPI works, they can adapt their processes accordingly.
Some organisations will be able to remove some of their activities from POPI’s reach by making simple changes. For example, if data falls outside the definition of “personal information”, the relevant data will not be covered by POPI’s provisions. Accordingly, some organisation can change their data-gathering habits to avoid collecting data that constitutes personal information.
So what are the three key factors to consider when preparing for POPI?
- Determine what kind of personal information you are processing and why you are processing it.
- Accept that POPI compliance is necessary to avoid fines and reputation damage, but that it can also make your business more efficient and streamlined.
- It will be important to raise awareness in your organisation. It makes it easier if people in your business are familiar with POPI’s requirements and know where the issues lie.
For organisations that retain large quantities of personal data, identify the various types of information being collected and retained. Decide whether you can limit your collection and retention practices. Determine whether you need all the information currently being retained and whether some of it can be deleted.