What POPIA means for business

The POPI Act ensures that the right to privacy is taken seriously and includes a data subject's right to be protected against any unlawful collection, retention, dissemination and use of their personal information.

Companies are required to receive consent from individuals before they can obtain, retain and process personal information for communication or any other purpose. As per "Conditions for lawful processing" the definition of "Personal Information" includes contact details, demographic information, personal history, as well as communication records.

The POPI Act highlights the need for a greater understanding of the manner in which personal information is stored and processed.  This means that the systems, processes and how logical and physical access is maintained and managed for the systems and areas housing personal information al need to be considered.

Protection of Personal Information requires extra vigilance in all aspects of physical and information security.  The basis of the POPI Act is to protect personal information and prevent information from being exposed to unauthorised persons.  As a result, this implies an obligation to protect information relating to individuals and juristic entities from any damage, including financial fraud, identity theft, misuse and the abuse of personal information.

The POPI Act requires that a set of streamlined processes and systems must be established that can easily identify where personal information is stored, understand how this information is processed physically and electronically, who has access to this information, as well as for what purpose it is required.

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013