Tag Archive for: Protection of Personal Information Act

Andrew Stegmann
,

South Africa: Employers Can Ensure Compliance With POPIA Quickly and Easily

This information was provided by Bowmans.

The Protection of Personal Information Act (POPIA) has far-reaching implications for employers that collect, hold, transfer and use employees’ personal information, and many are unsure about how to meet the fast-approaching deadline for compliance.

To help their clients overcome this challenge, Bowmans has developed a POPIA Toolkit for Employers that provides the documentation employers would need to ensure minimum compliance with POPIA by 30 June 2021.

If further guidance is published by the Information Regulator between 1 January and 31 December 2021, the contents of the Toolkit for Employers will be updated.

Using the Toolkit for Employers should enable employers to:

  • appoint and register an Information Officer and Deputy Information Officer/s with the Information Regulator;
  • comply with the duties imposed on the Information Officer, which include preparing a processing notification to employees and a compliance framework;
  • update their manuals in terms of the Promotion of Access to Information Act;
  • enter into POPIA-compliant agreements with operators, such as payroll providers, that process personal information on their behalf; and
  • understand the provisions of POPIA, with a particular focus on the conditions for the lawful processing of information and the rights of employees.

The consequences of non-compliance are significant and include hefty administrative fines of up to ZAR 10 million. This would be in addition to any reputational damage and costs an organisation may suffer as a result of failing to comply.

The Bowmans POPIA Toolkit for Employers should provide much-needed peace of mind that employers are doing the right things – and doing them timeously.

The POPIA Toolkit for Employers will be available from today (3 December), for a total once-off fee of ZAR 20 000 plus VAT. It can be ordered by sending an email to POPIAtoolkit@bowmanslaw.com.

In addition, if you would like to conduct document reviews to assess your internal compliance, Bowmans has fully trained their artificial intelligence tool, Kira, to assist with these types of instructions.

Please contact Talita Laubscher in Bowmans’ South African Employment and Benefits Practice to discuss your requirements in more detail.

 

For information as to how Relocation Africa can help you with your Mobility, Immigration, Research, Remuneration, and Expat Tax needs, email info@relocationafrica.com, or call us on +27 21 763 4240.

Sources: [1], [2]. Image sources: [1], [2].

Andrew Stegmann

Protection of Personal Information (POPI) Act In Effect From Today

South African organisations now have one year to comply with the long-awaited Protection of Personal Information (POPI) Act (POPIA).

This after the Presidency recently announced the commencement of certain sections of the 2013 data privacy law.

The Act, which gives effect to section 14 of the Constitution, provides that everyone has the right to privacy.

Since 2013, the Act has been put into operation incrementally, with a number of sections of the Act having been implemented in April 2014.

The sections that will commence on 1 July 2020 are:

  • Sections 2-38 dealing with exclusions and the conditions for lawful processing of personal information;
  • Sections 55-109 dealing with the responsibilities of information officers, direct marketing (unsolicited electronic communications), relevant Codes of Conduct and enforcement mechanisms (offences, penalties and administrative fines); and
  • Section 114(1), (2) and (3) which deals with transitional arrangements.

The sections that will commence on 30 June 2021 are:

Sections 110 and 114(4), which deal with the amendment of laws and the transfer of functions from the South African Human Rights Commission to the Information Regulator regarding the Promotion of Access to Information Act (PAIA).

Responsible conduct

Francis Cronje, an information governance specialist and contributor to the POPI Act, comments: “What all of the above entails is that the Act as a whole will commence on the 1st of July 2020, apart from those sections that have already commenced, and those that will commence on the 30th of June 2021.”

The purpose of the law is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise personal information in any way.

Businesses that don’t comply with the POPI Act, regardless of whether it’s intentional or accidental, can face severe penalties.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

Cronje explains that Section 114(1) states that all processing of personal information must within one year after the commencement of this section be made to conform to this Act.

“In essence, from the 1st of July 2020, organisations will have 12 months, or one year, to comply with the conditions for the lawful processing of personal information. No more delays, no more excuses, no more hiding,” he says.

Organisations, public and private, big and small, and anyone processing personal information, will have to align their processing activities to the Act, Cronje notes.

“Whether such processing involves personal information of your employees, prospective employees, part-time workers, contractors, clients, members, consumers, customers or third-parties or anybody else whose personal information you collect, use, share, retain, store, archive, delete or destroy – you, as a processing entity, will have to ensure that you, or anybody that processes personal information on your behalf, complies with the Act.”

Rights of data subjects

Pria Chetty, director at law firm EndCode, points out that up until 22 June 2020, limited sections in the POPI Act were in force.

She notes these were aimed at enabling the Information Regulator to set up operations and for regulations to be issued.

“The announcement from the Presidency confirms that the critical sections of POPIA will now take effect. These are substantive sections that create rights, duties, obligations, procedures and penalties.”

According to Chetty, the rights of data subjects to personal data protection safeguards finally have legal force, bringing South Africa closer to harmonisation with international and continental instruments on privacy and data protection.

“Of further significance, particularly in the context of digital innovation and advances in healthtech and edtech, is the regulation of the processing of special personal information – that will balance the need for access to information with the need to protect sensitive health and children’s information.”

She says organisations will need to address with intent now the provisions regulating the responsibilities of information officers, sectoral Codes of Conduct and provisions regulating direct marketing.

“The regulator will be pleased to see the procedures for dealing with complaints, and other enforcement mechanisms taking effect,” says Chetty.

“Ultimately, it marks the entry of non-negotiable obligations and duties for organisations regarding information privacy practices.”

Chetty believes compliance with the substantive provisions of the POPI Act will be a significant effort for many South African organisations, some of which have been preparing for the law’s enactment for years.

“Taking account of the ways in which digital technologies have altered every element of our work and society at large, embedding information privacy practices at all levels of the organisation is what is needed,” she says.

Strict deadline

Livia Dyer, partner at Bowmans, says the Information Regulator was established to implement and enforce POPIA, and its powers include the ability to levy administrative fines (of up to R10 million).

“POPIA provides for a transitional period of one year,” she notes. “This means that both private businesses and organisations and public bodies that process personal information must, at this stage, ensure they comply with POPIA by 1 July 2021.”

According to Dyer, the transitional period can be extended by a further three years for specific classes of information and certain data controllers (referred to as “responsible parties” in the Act), but there is no guarantee that an extension will be given.

“A year may seem like long time, but business leaders need to initiate the compliance process as soon as possible because, in many cases, compliance will require the implementation of fundamental changes to their organisations,” says Louella Tindale, data protection specialist at Caveat Legal.

Meanwhile, Rohan Isaacs and Tatum Govender from Herbert Smith Freehills SA, say consumers will benefit from POPI’s requirements that their personal information must be protected and that it can only be collected or handled where there is a lawful justification for doing so.

“POPI gives consumers specific rights in respect of organisations handling their personal information and it gives consumers greater control over their personal information. Consumers are informed about what personal information is collected, by who and why so that consumers are able to make informed decisions,” they conclude.

To find out more about the POPI Act, click here.

For information as to how Relocation Africa can help you with your Mobility, Immigration, Research, Remuneration, and Expat Tax needs, email info@relocationafrica.com, or call us on +27 21 763 4240.

Sources: [1], [2]. Image sources: [1], [2].

Andrew Stegmann

What the New General Data Protection Regulation (GDPR) Means for Your Business

General Data Protection Regulation (GDPR) is a regulation, enforceable from 25 May 2018, that is intended to strengthen and unify data protection within the European Union. The GDPR aims to give control back to citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU.

When the regulation takes effect, it will replace the data protection directive (Directive 95/46/EC) of 1995. Unlike a directive, it does not require national governments to pass any enabling legislation, and is therefore directly binding and applicable.

The GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, making it easier for non-European companies to comply with these regulations. However, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.

Important terms to consider before reading about the GDPR include:

  • Data Subject: An entity whose data is in question.
  • Personal Data: Any information related to a Data Subject, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
  • Data Controller: An entity that determines the purposes, conditions, and means of the processing of personal data.
  • Data Processor: An entity which processes personal data on behalf of the Data Controller.

The new regulation contains the following key changes:

  • Increased Territorial Scope: GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
  • Penalties: Organizations in breach of GDPR can be fined up to 4% of annual global turnover, or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, e.g.not having sufficient customer consent to process data, or violating the core of Privacy by Design concepts.
  • Consent: Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​
  • Breach Notification: Breach notification will become mandatory in all member states where a data breach is likely to result in a risk for the rights and freedoms of individuals. This must be done within 72 hours of first having become aware of the breach.
  • Right to Access: GDPR provides the right for data subjects to obtain, from the data controller, confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
  • Right to be Forgotten: Also known as Data Erasure. Data subjects have the right to instruct the data controller to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. This right requires controllers to compare the subjects’ rights to the public interest in the availability of the data, when considering such requests.
  • Data Portability: GDPR provides the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine readable format’, and have the right to transmit that data to another controller.
  • Privacy by Design: Data protection must be included from the onset of designing systems, rather than as an addition. Controllers are to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limit the access to personal data to those needing to act out the processing.
  • Data Protection Officers (DPO): Currently, controllers are required to notify their data processing activities with local data processing authorities (DPAs). With GDPR, instead, there will be internal record keeping requirements, and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or of special categories of data or data relating to criminal convictions and offences. The DPO:
    • Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.
    • May be a staff member or an external service provider.
    • Must have their contact details provided to the relevant DPA.
    • Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge.
    • Must report directly to the highest level of management.
    • Must not carry out any other tasks that could results in a conflict of interest.​

Flag of the European Union. The European Parliament’s GDPR becomes enforceable from 25 May 2018.

Parental consent will be required to process the personal data of children under the age of 16 for online services. Member states may legislate for a lower age of consent, but this will not be below the age of 13.

Topics such as data protection may seem overwhelming to some – even within a company’s IT department. But now is as good a time as any to research the very real consequences of ignoring this important aspect of running a business. The more knowledge one has about it, the easier it is to implement. And once a proper foundation has been established, occasional tweaks to adjust to new regulations, such as GDPR, are a much easier task.

With just over 100 days until GDPR becomes enforceable, businesses need to prioritize ensuring that they meet the regulation’s requirements, so that they don’t encounter any obstacles doing business with companies in the European Union later this year. Improving the quality of your company’s data protection, however, should not only be done when new regulations like GDPR come around, but rather whenever possible. This will ensure that your, and your clients’, information is properly stored, distributed, and protected. Not to mention doing so will make your clients feel at ease, and may even attract new business partners. That’s why Relocation Africa holds the safeguarding of its client and business partner data in the highest regard, and is constantly tracking changes in data-related legislation.

For more information about GDPR, and a countdown timer to its enforcement, visit the EU GDPR website here.

 

For information as to how Relocation Africa can help you with your Mobility, Immigration, Research, and Remuneration needs, email marketing@relocationafrica.com, or call us on +27 21 763 4240.

Sources: [1], [2]. Image sources: [1], [2].