By: James George, Compliance Manager, Compli-Serve SA
If you’re panicking about Protection of Personal Information Act (POPIA) compliance, don’t. This is according to Elizabeth de Stadler of Novation Consulting when speaking at Compli-Serve SA’s webinar on getting POPIA compliant.
While there is work to be done, there are also myths circulating about what falling behind could mean, along with incorrect information in between.
Here are five myths, with the truth following each of them. These are essentially top tips to get you closer to POPIA compliance. Having the right (and right to) information is really what it’s all about.
- POPIA is overwhelming and the deadline is threatening
While you shouldn’t rest on your laurels, don’t spend time panicking or not moving forward in your planning to get compliant. Chances are, the regulator also needs time to get ducks in a row, so focusing on just a few key strategies to enhance compliance is the best approach to take.
- Personal information is already in the public space – sorry, this is not a defence
You can’t just do what you like with personal information – POPIA makes scraping the internet for personal information about potential customer leads, a lot riskier. Just because contact information, for example, is available on the internet, does not necessarily mean you can just use this information for commercial purposes. The default rule in Section 12 of POPIA is that you must always collect personal information directly from the relevant data subject involved. There are a couple of exceptions to this default rule, for instance, when the data subject deliberately made the information public or where the personal information is in a public record administrated by a public body. There is also the frustratingly grey option of where it is ‘not reasonably practicable in the circumstances of the particular case’ to collect the personal information directly from the relevant data subject involved.
The point is, not everything on the internet was made public by the relevant person (hardly any of it is), and the internet is not administrated by a public body. Your key takeaway should be that if you want to collect personal information from another source other than the relevant data subject for commercial purposes, get some legal advice first.
- Consent will save you…
‘By signing this, you accept this…’ is a typical example. But this type of consent is not valid under POPIA. Additionally, under POPIA, selling personal information without a valid legal basis to do so is like selling a stolen car. Section 11 of the POPIA Act lists six legal bases for processing (aka using) personal information. You have to be able to legally justify processing personal information on one of these grounds to comply with POPIA. Think about it first – consent should always be your last resort as a legal basis for processing personal information. Summed up, you can lawfully process personal information if:
- it is necessary to conclude or perform in terms of a contract;
- you need to comply with an obligation imposed by law;
- you are protecting the legitimate interest of a data subject;
- it is necessary for the proper performance of a public law duty;
- you are pursuing the legitimate interest of the responsible party or of a third party; or
- you are processing the personal information with the consent of the data subject.
If you’re still not sure which option applies, Elizabeth suggests you ask yourself the following questions:
- Is the processing necessary to conclude a contract, or to comply with legislation?
- Are you protecting a vital interest of the data subject? (It’s important they are given the option to opt out)
- Are you a public body performing a public law duty? (Objection by the data subject also applies)
- Are you protecting a legitimate interest of your organisation or a third-party (The option to object must be included too)
If the answer to all of these questions is no, then this is when you should ask the data subject’s consent to process their personal information.
By way of example, employment information doesn’t necessarily require consent, as employers are required to collect certain records of their employees to comply with relevant labour legislation.
Elizabeth shared another example; Amazon using personal information through predictive analytics. They suggest products you might like based on your shopping behaviour, but they let you know that you can opt out of these suggestions. “I can unsubscribe, but the way they’ve approached it ensures I see some shopping deals too. You might prefer to opt out, but allowing predictive analytics also makes for a better experience on the Amazon app.” Amazon gets away with this process because they are using the information for legitimate reasons (you are likely to be interested in the suggested products), and they have given you an out.
- If you have a breach, you will get fined
You won’t get fined for having a breach if you can prove you had satisfactory measures in place to prevent it. No business will be consistently compliant with POPIA either (POPIA compliance can be a moving target because your organisation is going to be processing new personal information in new ways all the time). Still, you are required to have proactive risk management controls in place. “This is called behaving reasonably and avoiding negligence where you could,” Elizabeth adds. “You can, however, get fined for not reporting a breach.”
- POPIA only applies to information gathered from 1 July 2021
Wrong again. It pertains to processing all information gathered from any time. “Even if you collected the data 100 years ago, POPIA compliance needs to be applied.” You are still going to need the law on your side under POPIA to process this personal information and to comply with POPIA’s other requirements for storing, sharing and securing this personal information.
Keeping these five tips in mind on your journey to POPIA compliance will certainly help, as will working with a trusted compliance officer who can lead the way.