POPI regulations: how it applies to your business
By Melanie Coetzee
Although the regulations to the Protection of Personal Information Act (POPI) hasn’t yet been signed into law – businesses are encouraged to start adapting their policies with regards to the gathering of personal data from their clients.
Following the signing into law of POPI (Protection of Personal Information Act) in November 2013, together with the proclamation that only four very limited sections within POPI would become applicable from April 2014 (including the establishment of the Information Regulator), not much else has happened other than the balance of POPI’s provisions being debated for finalisation. So, in effect, POPI is not yet applicable to general business and clients’ information.
However, on 14 December 2018 the Information Regulator published the final POPI regulations which have given definitive clarity on the extent of this law’s application and the detailed requirements which will be imposed. At least businesses will now be able to start the process of addressing the ways in which their clients’ information is obtained, stored and used with proper guidelines found in these regulations.
These regulations have not yet been signed into law, so for now, non-compliance will not be scrutinised nor offend. However, businesses are encouraged to start developing policies to make the changes that will be required as most business practices currently fall short of the international data policies contained in the General Data Protection Regulations (GDRP) which commenced in May 2016 and POPI in general.
The final POPI regulations deal with the practical side of the Act and several forms accompany the regulations, for example in the case that clients may object to the processing of personal information and request correction or deletion of their information (Form 1 and Form 2). The regulations require businesses to also assist their clients within reason in accessing these forms and being able to submit their forms to such business. In this regard, it would appear that businesses will have to make reference to these POPI rights in their documentation and/or websites and make available these forms for download for their clients.
For clarity sake it is worth mentioning that clients and consumers may not unreasonably submit the above requests if the personal information being obtained is required in terms of other legislation. For example, the new Financial Intelligence Centre’s requirements (FICA) requires filing of clients’ information for a period of time following the transaction and as a result, neither the business nor the client has a choice in the processing of personal information in which case you may reject a request as mentioned above. But be vigilant and well informed since not all information that are currently gathered is in terms of legislation. Some information is gathered for practical purposes only, so it is worth having the information sheets and other working documents of your business reviewed by a conveyancing attorney.
Information Officers will have to be appointed in each business whose responsibilities will also now include drafting an internal manual covering: i) the development of a POPI compliance framework within that business; ii) the measures that are to be implemented that deal with clients’ information in terms of the POPI framework; and iii) the need to make available the manual to everyone in the business on request.
The regulations allow also for industry codes of conduct to be issued by the Information Regulator and should anyone affected or interested wish to initiate this process with the Regulator, then Form 3 in the POPI regulations will need to be completed and submitted.
Direct marketing: One of the most important regulations for the purposes of the property industry, is the requirement that companies who wish to process personal information for purposes of direct marketing by electronic communication, must first obtain a client or consumer’s consent in the format of Form 4. In practical terms this means that all businesses need to start introducing this form for completion by all consumers or clients as a standard process when collecting information. In the property game, this will mean that all sellers and buyers will need to complete this form when signing a mandate and offer since either party’s personal information may not be utilised from the database for any electronic marketing purposes even if the mandate or offer specifically refer to it.
Client complaints: Client complaint processes are discussed in the new regulations and the entire process of dispute resolutions in respect of personal information and data disagreements is now regulated.
Even though all businesses have a lot of work to do in order to ensure full compliance with POPI and its December 2018 regulations, there is at present at least no extreme pressure to make the necessary changes. POPI provides that businesses will have 1 year from the date on which the balance of POPI and the regulations are proclaimed to ensure compliance. But, in order to avoid being caught off guard, it is useful to initiate a review of business methods with reference to software security, archiving, invoicing, standard documentation, disclaimers and other areas. Now that the detail of what is needed is finally found in the final POPI regulations, a review should be manageable if done over a period of time.
About the author: Melanie Coetzee has practiced as an attorney, notary and conveyancer since 2002 and with conveyancing attorneys STBB since 2004. She was appointed director of the firm in 2010. She has done extensive training on the Consumer Protection Act and is a technical trainer on specialized legal topics in the Western Cape.