Are you prepared for POPI?

Get compliant now to avoid fines or worse

By Zeenat Moosa Hassan - 29 Jul 2021

Advertisement

3 min read

In case you missed it, South Africa’s Protection of Personal Information Act (POPIA) took effect on July 1, 2020 and enforcement began exactly a year later, on July 1, 2021.

The Act applies to any company or organisation processing personal information in South Africa, including HOA’s. The onus is now on the organisation to prove that their data capturing processes follow the requirements of the Act, and are thus lawful. Failure to do so can result in fines, imprisonment and in the worst case, huge court cases. It can also put you in the throes of a PR nightmare, so it is it a good idea to get compliant now, if you haven’t done so already.

POPIA origins

In 2018, the EU implemented a new data privacy law known as the General Data Protection Regulation (GDPR) which gave citizens across the member states rights over their personal information. It quickly became a global data privacy standard, influencing legislation across the world in countries like Canada, India and Brazil.

South Africa’s POPI Act has been modelled on GDPR, although it is somewhat less demanding.

Unlike the GDPR, which only protects living individuals, the POPI Act also protects companies and organisations, meaning that very few sectors are exempt from it.

Advertisement

Four steps to ensure compliance

Chanique Rautenbach from Barnard Incorporated Attorneys suggests following these simple steps:

  1. Appoint an Information Officer and ensure that they are aware of their new responsibility to encourage compliance. If one isn’t appointed, then responsibility will automatically fall to the CEO or estate manager. The officer must be registered with the Information Regulator as part of their job will involve working with the regulator to carry out investigations and handle data related requests.
  2. Have a POPIA Policy in place. This should clearly outline the legal implications of the POPI Act and must be read and signed by all employees who handle personal information.
  3. Document proper procedures to be followed by every employee who handles personal information.
  4. Have a database of what personal information the organisation currently holds, where it was collected from, how it is to be used and who it is shared with. You must have consent from each person to be on the database.

How best to obtain consent?

The Act only permits you to hold the personal information of someone who is a customer of the business (a homeowner would be classed as a customer). You can’t use direct marketing, unless you have consent, or the individual is a customer of the business.

In the few weeks running up to 1 July, many businesses sent out emails providing their database with a reasonable opportunity to object to having their personal data stored.

‘The Act is very clear on the issue of consent, and it is important that individuals, or data subjects as they are referred to in the Act, give consent for their information to be collected,’ explains Jeff Gilmour from the Association of Residential Communities (ARC).

‘This can be quite onerous because most estates need to keep data of homeowners for many reasons and already have rules and regulations of how this is collected and stored. However, there are number of ways to ensure consent is given but if you are unsure, consult an expert.

‘ARC partners with some of the best service providers, including specialists in the field of POPIA compliance and also have a tool kit available to all members that guides an information officer through the process of ensuring that all conditions of the Act are complied with,’ he concludes.

The repercussions of non-compliance

‘Should a company be non-compliant and there is proof of an intrusion or breach of personal information, the aggrieved party may lodge a complaint with the Information Regulator. In terms of the Act, the Information Regulator does not require a court order to institute a fine for negligence or non-compliance in favour of the aggrieved party. A maximum period of imprisonment of 10 years, or an undisclosed maximum fine determined by the court can be levied. On top of this, the Information Regulator may institute administrative fines of up to R10 million,’ warns Michelle Orsmond from Hammond Pole Attorneys.

The POPI Act also provides for civil remedies where the court may award aggravated damages, interest or payment for damages as compensation for losses suffered by an individual as a result of a breach.

Being POPI compliant is not only a legal requirement, but also a way to build trust and loyalty. Find out more here: https://www.popiact-compliance.co.za/

Share this

Leave a Reply

Your email address will not be published. Required fields are marked *


 

ESTATELIVING

Estate Living is the leading resource and influencer within the residential community. It is a trusted source of information about living in a community scheme. With 14 years of insight into the market, we support and drive value for all community stakeholders.

quick links

contact us

Office 200
2nd Floor Vineyard Centre
Cnr Vineyard Road & Dreyer Street
Claremont
7708

Reside Awards
Youtube Facebook Instagram Linkedin Twitter Tiktok

Download the Connected Living app

Connected Living App
Connected Living App

© 2024 Estate Living

Publications

Estates

News

Events

Scroll to Top
SUBSCRIBE
Processing...
Thank you! Your subscription has been confirmed. You'll hear from us soon.
Subscribe to our mailing list and receive updates, news and offers
ErrorHere