The Protection of Personal Information Act (POPI) is expected to be introduced soon, bringing with it a host of new changes regarding privacy laws in South Africa.
Chief among these are new protections for every day South Africans as well as a number of mandatory changes for businesses in South Africa.
Associate at Norton Rose Fulbright, Tatum Govender says that, while the official date for POPI’s implementation hasn’t been announced yet, South African companies will have just 12 months from the commencement date to ensure they are compliant.
At this point, South Africans consumers may request a take down of any personal information stored by a South African business, following the prescribed manner.
While this manner will only be released in the final regulations, it is likely they will follow the Promotion of Access to Information Act (PAIA) in which you fill out a specific form, (available here and here) and pay a prescribed fee.
In addition, the requester must provide adequate proof of identity.
“Businesses can refuse to remove personal information if they can provide credible evidence as to why it should not be removed,” Govender said.
“If an agreement with a client cannot be reached on whether or not the information should be removed, the information must be marked so that anyone who accesses it is aware that a request for removal was made but not granted.”
Govender said that if a business fails to respond to a request for removal, or refuses to remove the information, a complaint may be lodged by the client, or any other person, with the Information Regulator. The Information Regulator may then undertake an investigation.
“The Information Regulator’s investigative powers are wide and include inspections of premises, entry search and seizure and calling of witnesses,” she said.
Big challenges for business
Govender noted that, in addition to the take down requests, companies will also no longer be allowed to keep excess information, and can only keep copies which are required for a specific, legitimate purpose.
Speaking to BusinessTech, Mike Rees, territory account manager for Commvault South Africa, said that South African businesses now faced a mammoth task in ensuring they complied with the new regulations.
One of the biggest challenges is the fact that businesses can only store and access limited copies of customer data.
He highlighted that many organisations have multiple copies of customer data stored in various locations across the business, for access by various departments.
“From a business perspective it’s actually quite challenging,” he said.
“Currently you have your information in a database, in a spreadsheet, on multiple laptops as well as in the cloud. You can’t just leave it up to the IT department to track this information. How do I remove the data even if I don’t know where it is?”
He noted that one of the easiest way to find this information is through indexing and searches, but there was still no single solution for South African businesses.
“There’s not some sort of Panacea. There’s no way to ‘take this’ and all of your pain will go away.”
As a result, Rees believes that a number of South African businesses will have to drastically change some of their current business practices.
Citing the iStore as an example, he noted that it will no longer be possible for them to request an ID when buying an Apple product if it’s information they already have on their database.
Penalties
Govender said that, in addition to action taken by the information regulator, certain actions are outright offences (eg. obstructing the Regulator) and may result in immediate criminal prosecution or administrative fines.
With such a big change being required of South African businesses, and questions of who will enforce the new laws, Rees believes that many companies may opt to simply take the fine.
However, he said that will not be an option for larger companies and businesses looking to do international deals, as the law requires them to be POPI and GDPR (international) compliant.
It is no longer a case of whether or not you should or shouldn’t comply, Rees said, but rather a question of what tools are at your disposal as a business to make the transition easier.
“Do it because it makes good businesses sense, not because someone is holding a stick,” he said.