With the 1 July fast approaching, businesses should be reviewing their use of personal information to determine if it complies with the Protection of Personal Information Act 4 of 2013 (PoPI).
Wendy Tembedza | image supplied
It is important to understand that any business that has employees, customers and suppliers must comply with PoPI when dealing with personal information. Below are a few tips on ways businesses can kick-start their compliance exercise.
Figure out what personal information you process and why
Under PoPI, a business must be able to justify why it holds personal information based on one of the several justifications set out in PoPI.
This is a good opportunity for a business to assess what information it collects - whether from employees, customers, services providers or other third parties such as credit bureaus - and review whether that information is actually necessary for the purposes for which it was collected.
In this regard, minimality is key – business should not collect more personal information than is required. Importantly, the term "personal information" is defined very broadly to mean any information that can be used to identify an individual person or another business entity.
Get rid of what you do not need
Under PoPI, a business cannot keep a record of personal information once the reason for which it was collected no longer exists unless required by law. For example, unless required by law, a business should not keep the personal information of any former supplier when the relationship has ended.
With less than 100 days for public and private bodies to be compliant with the Protection of Personal Information Act (PoPIA)...
25 Mar 2021
Businesses should therefore check whether they are holding onto any old records of personal information that they no longer need and dispose of them in a secure manner. It is important to note that more data means more risk and it is best to purge what is not required.
Look at security
Correct management of personal information means appropriate security must be in place to protect it. PoPI requires a business to put in place "appropriate, reasonable technical and organisational measures" to prevent loss, theft, or damage to personal information.
The suitability of security measures will depend on the business and the type of personal information it holds.
Opt-out marketing emails and SMSs are a thing of the past under PoPI. Unless a person is an existing customer, a business cannot send him or her marketing emails or SMSs without first getting consent from the person.
Any request for marketing consent must include language that is set out in regulations to PoPI. Businesses should therefore review their direct marketing practices.
Go for the easy wins
PoPI compliance may seem like a daunting task but there are some "easy wins" when it comes to compliance. Basic documents used by the business will likely need updating for PoPI compliance. These include company privacy policies and employee and supplier contracts. All these documents should aid the business in proving its compliance with PoPI.
LEGAL DISCLAIMER: This Message Board accepts no liability of legal consequences that arise from the Message Boards (e.g. defamation, slander, or other such crimes). All posted messages are the sole property of their respective authors. The maintainer does retain the right to remove any message posts for whatever reasons. People that post messages to this forum are not to libel/slander nor in any other way depict a company, entity, individual(s), or service in a false light; should they do so, the legal consequences are theirs alone. Bizcommunity.com will disclose authors' IP addresses to authorities if compelled to do so by a court of law.