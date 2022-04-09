The last two years have not been easy for anyone. Organisations around the world have been forced to adapt to what many call the new normal, as companies have had to revaluate their ways of work. This was a major change, but we adjusted to it pretty well, all things considered,” says Paul Raath from Bizmod Consulting. “What South African companies may have missed during all of this, was the commencement of the Protection of Personal Information Act (PoPIA).” The Act had been going live bit-by-bit for quite a few years, however it officially and wholly commenced on 31st June 2020, during the height of the global pandemic. The Information Regular, who oversees all PoPIA compliance in South Africa, gave organisations a 12-month grace period to get everything in order and implement the measures required to comply with the Act.

“It has been eight months since the grace period ended and all organisations in South Africa that are not PoPIA-compliant may face penalties should they contravene the Act as it relates to the handling of personal information,” says Raath. Despite this, many organisations are still in the process of getting their PoPIA compliance in order, and just as many if not more are yet to even start. Raath says that after all we have and continue to go through, it is easy to feel overwhelmed when faced with what many see as a compliance tick-box exercise. But the PoPI Act is so much more than that. It’s also far less daunting than we imagine. Below he takes a look at what companies need to know about PoPIA and how it changes the way we work.

What is PoPIA, now? Personal Information (PI) belongs to the person it pertains to, not the party that collects it. Our PI has become a much-desired commodity, with some groups willing to go to extraordinary lengths to get their hands on data. To counter this, organisations are required to have in place security measures that ensure all PI collected from customers, employees and third parties are kept safe. The Act identifies various conditions and special conditions that prescribe how organisations are expected to go about securing the PI. The Act does not prohibit organisations from collecting this, but it does set strict standards for what is collected and how the data is secured.

So, what does this all mean? We need to view PoPIA as a means to embrace business best practices and responsibility. Ultimately, the Act requires organisations to: Only collect the PI they absolutely need to conduct business,

To keep that PI secure while in their possession,

To better manage their customers’ direct marketing consent preferences, and

To keep a closer tab on weak points in their information flow. “These are all aspects an organisation would want to optimise anyway, as it can have a positive impact on not just operating costs but also earnings,” says Raath.

