On 14 June 2021, the Association hosted a workshop on the POPI Act via the MS Teams platform.

The workshop saw the delivery of presentations by subject matter experts Pieter Griessel of Griessel Consulting and Nic Nortjie from HKR Outsourced HR. Whilst the attendance was good,  with the POPI implementation date of 1 July 2021, questions from members regarding POPI requirements were frequent throughout the month.

The central theme of questions received was “what do I need to do for the POPI Act?” 

POPI stands for Protection of Personal Information and the Act essentially outlines the legal obligations in respect thereof. The reality is that the POPI Act is a lengthy piece of legislation and there is no quick fix template for companies to complete that will deem them compliant.

The legislation requires that organisations have a manual in place declaring their strategy to ensure compliance. Manuals must be tailored according to requirements and considerations such as size, scope and nature of the organisation will influence its content.

In his presentation, Pieter Griessel highlighted the following:

Obligations of the responsible party:

• Secure the integrity and confidentiality of the personal information.
• Take appropriate, reasonable technical and organisational measures to prevent the loss of, or damage to the personal information.
• Prevent unlawful access to, and unauthorised processing or destruction of the personal information.
• Identify internal and external risks to the personal information.
• Establish and maintain appropriate safeguards against losing or damaging personal information.
• Regularly verify the safeguards; and ensure that the safeguards are continually updated.

Basis on which personal information can be processed:

• When consent is given.
• When processing is necessary to carry out a contract to which the data subject is a party.
• To comply with an obligation imposed by law.
• Where processing protects a legitimate interest of the data subject.
• When necessary for the performance of a public duty by a public body.
• For the legitimate interest of the responsible party or of a third party to whom the information is applied.

Essentially, the Act demands that organisations have checks and balances in place with regards to the above. The most common line of questioning the Association has received relates to the appointment of the information officer, as specified in the Act. The POPI Act designates the head of a business as the Information Officer. The head of the business can delegate his or her responsibilities as Information Officer to any other duly authorised person and can appoint as many Deputy Information Officers as necessary. The Information Officer must be an employee of a private body and must be an employee at an executive level or equivalent position at a level of management. Similarly, Deputy Information Officers must be employees of the organisation, and multinational entities based outside of South Africa must designate a Deputy Information Officer that is present within South African borders.

While the Act does not set out specific skills and qualifications for an Information Officer, the following knowledge would be advantageous:

• A good understanding of information technology.
• Basic legal knowledge is advantageous.
• A broad understanding of the company operations especially workflows that involve the processing, storing and use of personal information.

The Act stipulates the following general responsibilities:

• To encourage and ensure compliance with POPI as may be prescribed from time to time.
• Deal with requests made to the organisation in relation to POPI.
• Work with the Regulator in relation to investigations.

Information Officers are required to be registered with the Information Regulator however due to technical glitches with the registration portal and numerous concerns raised regarding the registration process, there is no deadline for registration of Information Officers and Deputy Information Officers at this time.

Click here to access the guidance note to information officers and deputy information officers.

We trust that the information provided herein answers pertinent questions for members in order to help comply with the required legislation.

Ernest Roper | Membership Services Manager