The basics of South Africa’s Protection of Personal Information Act (POPIA or POPI Act) are becoming common knowledge in the business world, but a few points are less well known and will be useful for those who already know they need to comply with the privacy regulation.
Determining a breach
Under POPIA any unauthorised access to personal information is regarded as a breach. So, even if nothing is actually done with the information that’s been accessed without authorisation it’s still treated as a breach and you have to inform data subjects.
However, under POPIA, a breach isn’t necessarily regarded as non-compliance. If you can show that you’re taking reasonable steps to avoid a breach then you’ll still be considered compliant. It’s therefore vital to show proof of compliance activity such as training employees in cyber awareness and having a good cyber security strategy.
Outsourcing compliance
While it is wise to get help with your POPIA compliance from a dedicated software provider, you can’t outsource your compliance totally because no provider can ensure against negligence or inhouse illegal activity. As part of your compliance strategy you need to be able to show that you have security checks and measures in place to detect what software won’t be able to pick up.
Considering fines
POPIA requires an ongoing commitment to data protection – it’s not a one-off exercise – therefore one can’t opt to rather pay a fine than become compliant because the penalties for non-compliance are steep.
It would be easier to become compliant than face a maximum fine of R10 million or a prison sentence of up to 10 years, or both, for serious offences. For less serious offences there’s the possibility of a fine and a prison sentence of up to 12 months, or both. There’s also the risk of a damaged reputation that would come from clients/suppliers knowing that their data isn’t safe with you.
Ask us any questions about POPIA and we’ll help you.