POPIA: EIGHT PRINCIPLES

In order to be fully compliant with the Protection of Personal Information Act no 4 of 2013 (POPIA), there are 8 Principles defined within the Act which must be addressed. These are well-accepted attributes which are adopted throughout South Africa as the guidelines for a successful POPIA implementation.

 

1: Accountability

The organisation must appoint a party (Information Officer) who will be responsible for ensuring that the information protection principles within POPIA and the controls that are in place to enforce them are complied with.

 

2: Processing Limitation

The second principle deals with the lawfulness of processing, minimality of information collected, consent, justification and objection, and the collection of personal information directly from the data subject.

 

3: Purpose Specification

The third principle provides that personal information must be collected for a specific purpose and the data subject from whom the personal information is collected must be made aware of the purpose for which the personal information was collected.

 

4: Further processing limitation

The fourth principle regulates the further processing of personal information. If a responsible party further processes personal information, such processing must be compatible with the purpose for which the information was collected in principle 3.

 

5: Information quality

The fifth principle provides that the responsible party must take reasonable steps to ensure that the personal information that has been collected is complete, accurate, not misleading and up to date. In so doing, the responsible party must take into consideration the purpose for which the personal information was collected.

 

6: Openness

The sixth principle provides that the responsible party must be open about the collection of personal information by notifying the Regulator if it is going to process personal information and, if personal information is going to be collected, the responsible party must take “reasonably practicable steps” to ensure that the data subject has been made aware that his or her personal information is going to be collected. The responsible party should, for example, take reasonable steps to make the data subject aware of its name and address, and the purpose for which the personal information being collected.

 

7: Security Safeguards

The seventh principle provides that the responsible party must ensure that the integrity of the personal information in its control is secured through technical and organisational measures.

 

8: Data Subject Participation

The eighth principle provides that data subjects have the right to request that a responsible party confirm (free of charge) whether it holds personal information about the data subject and he or she may also request a description of such information.

 

WHAT ARE THE CONSEQUENCES OF NOT BEING POPIA COMPLIANT?

The consequences of non-compliance are significant and may even result in the loss of a licence to trade (where applicable). Even if the penalties are paid, the loss of reputation is huge and this can have a devastating effect on any organisation. According to POPIA, the organisation must first inform the Information Regulator and then also inform every person on that might be affected when there was an information/data loss.

The following are the consequences for not being complaint:

  • Administrative penalties
    • Fines up to R10 million and/or 10 years in jail per incident.
  • Enforcement notices
    • Stop processing personal information.
  • Civil Action
    • May be bought on by data subjects for “distress” pay out millions in damages to a civil claim action.
    • Suffer reputational damage.
  • General concerns
    • Loss of reputation and subsequent loss of customers.