Have you ever registered to take part in an event that was sponsored by a mobile network provider and then, a few months later, started receiving incessant cold sales calls from the same network provider? The finer details of your own story might be different, but you can probably recognise the broad strokes.
Historically, there haven’t been enough safeguards on how personal information is used. Databases were bought and sold between companies and people were never sure what filling in a form and accepting the terms and conditions really meant. The POPI Act was promulgated to remedy that.
The Protection of Personal Information Act (Act No 4 of 2013), known more informally as The POPI Act or POPIA, promotes the right to privacy of individual citizens by governing the acquisition, use, transfer, storage and destruction of personal information by organisations. The act is now in full effect and organisations have until 1 July 2021 to ensure that they comply or they can face fines of up to R10 million and jail time.
It’s important that everyone gets acquainted with the act. However, it’s a hefty 149-page document, so we’ll make it easier for you by answering three basic questions on how it pertains to your data.
1. What counts as personal information?
The purpose of the POPI Act is to keep personal information as private as possible while allowing businesses and organisations to conduct their operations. According to the act, the definition of personal information is any information that can be used to identify a person. It’s deliberately broad and covers the following information and data:
- Identity or passport numbers
- Date of birth and age
- Phone numbers
- Email addresses
- Online or instant messaging identifiers
- Physical addresses
- Gender, race and ethnic origin
- Photos and video footage, including CCTV footage, voice recordings and biometric data
- Marital relationship status and family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs
- Employment history and salary
- Financial information
- Education information
- Physical and mental health information
- Memberships to organisations or unions
A “person” in this case doesn’t only refer to your customers and clients but literally any human being. This includes your employees, suppliers and every stakeholder that interacts with your business. Under the act, your business is obliged to protect the personal information of all these individuals.
2. How do you maintain POPI compliance?
The POPI Act outlines eight conditions for the lawful processing of personal information by public and private entities. These are minimum requirements that a business or organisation must meet to comply with the new legislation. We’ve summarised them below.
- Accountability – Every public and private entity must comply with the act and it is best practice to appoint someone to be responsible for your organisation’s data compliance.
- Processing limitation – Your business can only process the information it needs for a justifiable reason and the data subject’s consent must be secured.
- Purpose specification – Processing of personal information should only be done for lawful purposes related to the function of your business only and the data subject must be aware of this purpose.
- Further processing limitation – Your business has an obligation to prevent the processing of personal information in its custody for any other reason than the purpose to which the data subject consented.
- Information quality – Your business is responsible for ensuring that all personal information it holds is accurate, up to date and not misleading.
- Openness – The data subject is entitled to the details of the party responsible for their personal data (your business in this case).
- Security safeguards – Your business is responsible for identifying any reasonable and foreseeable risks that could threaten the security and integrity of personal information.
- Data subject participation – The data subject can ask for details regarding their personal information or request for its deletion at any time.
3. How can STS help you?
While we’re not POPI compliance specialists, we are data protection experts. The requirements of the POPI Act directly impact where your business’s data is stored, how it’s stored, how long it’s stored for and who has access to it. These are all concerns that STS is qualified to help you with.
Storage will be the first concern as businesses race to be compliant by the deadline. You need to store all personal information in a secure, highly optimised and scalable environment to have the best chance of compliance. Our software-defined storage solution gives you the freedom to scale your capacity to meet your needs at a fraction of the cost of a hardware-defined storage solution.
Agile and secure backup protects your business’s data from permanent data loss. Our back-up solution ensures that you’re protected from internal and external data threats by ensuring that you have a regularly updated secondary version of your data.
Archiving is also an important concern. The act stipulates that personal information should not be stored for longer than it’s needed, but you can archive information for research and historical purposes – as long as it’s no longer in use. We can archive your data securely and to your exact specifications to ensure that it’s only kept in line with the act and is destroyed when it’s time to do so.
Are you ready to give your business an advantage for POPI compliance? Learn why regular data backups are essential for compliant businesses in our latest guide below.