POPI isn't new in South Africa. The Protection of Personal Information Bill was around in 2009, which meant that the discussion had been going on for years before that. We became used to talking about POPI, and the Information Regulator is now prefering to use the term POPIA. Is there a difference?
What is POPI?
POPI stands for Protection of Personal Information. Regardless of whwther there is a law or not, organisations should be considering what Personal Information they capture, manage and store, and how best to secure this. It make common, logical sense that this information is sensitive, and shouldn't be exposed. One of the principles that we all should consider is "privacy by design". This means that we should consider privacy implications in all our processes and systems, and build security and privacy concepts into the day-to-day operation of our organisations.
POPI is all about Privacy, and this means security. In order to secure information, organisations need to clearly understand what information is gathered and kept. This is going to require a detailed investigation and shouldn't be seen as a trivial exercise. Once understood, steps need to be taken to protect the information.
What is POPIA?
POPIA stands for the Protection of Personal Information Act, Act No. 4 of 2013. This is the new law and is something that most (if not all organisations) will need to follow. Is there a difference between POPI and POPIA? Yes and no. POPI is the act of protecting Personal Information. This implies that all the policies, procedures, processes and practices in the organisation relating to personal information, are in fact doing POPI. You cannot "do" POPIA, as this is merely the name of the law.
In summary, in order to comply with POPIA, you need to implement a POPI programme. In order to implement, there are a number of steps which need to be followed and a number of documents and instruments which need to be developed. We'll be documenting these as things progress.