Loading...

Is your Business POPIA ready?

Is your Business POPIA ready?
Shredder

Here are a few things to consider:

POPIA became effective July 1, 2020, and South African organisations have until June 30, 2021 to become compliant.
The regulation gives individuals increased control over how their personal data is collected and used. It also opens new risks for organisations that handle personal data.


There are several best practices and resources that organisations can utilise on their journey to compliance.
Regulations like POPIA and Brazil’s LGPD are part of the growing trend of data privacy legislation following the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).


Most sections of the act are now officially law. But compliance isn’t mandatory until the remaining part of the legislation—which grants enforcement powers to South Africa’s new regulatory authority the Information Regulator—comes into effect on 1 July 2021. This means that, if your organization is subject to the POPIA, you only have a few months left to comply.

POPIA Compliance in a Nutshell

The POPIA is the latest in a succession of new data protection laws aimed at strengthening the privacy rights of individuals in today’s data-driven landscape.


The law was ratified in November 2013—several months before the EU voted to adopt the GDPR. But progress subsequently stalled for several years until the South African government finally gave it the green light in 2020.
Despite its slightly earlier origin, the POPIA is still very similar to the GDPR, sharing much the same guiding principles, including accountability, transparency, security, data minimization, purpose limitation and the rights of data subjects.

There are several best practices and resources that organisations can utilise on their journey to compliance.
Regulations like POPIA and Brazil’s LGPD are part of the growing trend of data privacy legislation following the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

Most sections of the act are now officially law. But compliance isn’t mandatory until the remaining part of the legislation—which grants enforcement powers to South Africa’s new regulatory authority the Information Regulator—comes into effect on 1 July 2021. This means that, if your organization is subject to the POPIA, you only have a few months left to comply.

Does My Organization Need to Comply?

The scope of POPIA is different from other new data protection laws, where what matters is the location of processing rather than the location of the data subject.


For example, the GDPR applies to any organization that processes personal information about European Economic Area (EEA) citizens regardless of where it’s based in the world.


There is a major difference when it comes to compliance with POPIA: South Africa’s data privacy regulation only applies to companies based in South Africa or those that process personal data within South African borders. So, to check whether you need to comply, you’ll need to find out exactly where you’re processing personal data. This should include the whereabouts of not only your on-premises data centres but also your cloud-based deployments.


However, you may have a data footprint in South Africa that is not immediately apparent. Your cloud infrastructure will likely be the deciding factor for whether or not the South Africa data protection law applies to your company: both AWS and Microsoft Azure now have cloud regions in South Africa. So your company could very well be using them in a bid to bring your data closer to African customers.

Consent and Privacy Policies

Unlike the GDPR, you don’t generally need to seek consent to collect an individual’s personal information. However, you must still do so where you collect any type of special personal information.

Specific consent rules also apply to collection of data about children, aged 17 and under, where you normally need the consent of a competent person, such as a parent or guardian.

In addition, you may only process personal data for direct marketing (by email, telephone or SMS) where the data subject is a customer or has given their consent to processing.

However, you must give customers a reasonable opportunity to object to processing if they wish. And, your communications should include details on how to opt out of your marketing list.

Similar rules also apply regarding transparency. This basically means that, wherever you collect personal data about individuals, you must be upfront about:

  • who you are
  • what information you collect
  • why you collect it
  • the rights of data subjects

the most practical way of providing this information is to incorporate it into your online privacy policy.

Right of Access

The POPIA grants data subjects similar rights of access, correction and erasure as the GDPR. Under both laws, citizens may request, free of charge, confirmation of whether or not you process their personal information.

But, the POPIA allows you to charge a fee for providing individuals with a copy of the information you hold about them. If you choose to do so, you must give a written estimate of the cost before you provide the service.

The POPIA only states that you must respond to any such request within a reasonable time.

Information Officer

The POPIA designates the role of information officer.


All organizations that come within the scope of the POPIA must appoint an information officer. In the absence of a formal appointment, the role of information officer falls to the head of your organization—usually the chief executive officer (CEO).

Breach Reporting

You must notify both the relevant regulatory body and the individuals affected by the compromise.


The POPIA simply states you must do this as soon as reasonably possible after becoming aware of the breach.

Penalties for Non-Compliance

At R10 million, the maximum financial penalty for a POPIA infringement is significantly lower than a potential GDPR fine, which can reach up to €20 million or 4% of annual global turnover. However, under South African legislation, individuals can be held criminally responsible and sentenced to prison for up to 10 years in more serious cases.

What’s more, POPIA sanctions not only apply to non-compliance but also a range of other offenses, which include:

• hindering, obstructing or unlawfully influencing enforcement officials
• failing to attend court hearings
• lying under oath

In short, business can be held legally liable for negligent exposure of sensitive customer and employee information.


As security breaches and data loss are making headlines, becoming more common, and affecting more people, organizations are putting more emphasis on protecting the private information they handle.


While document shredding is a simple and effective way to protect private information, there are other effective alternatives, and if you choose to shred documents, it should be used in tandem with other security techniques for a well rounded information security procedure.

Information Security Options

The best way to protect the information you handle greatly depends on your organization. Large and small businesses will have different security requirements, as will companies that are largely digital vs companies with vast amounts of paper records.
The type and scope of information your organization collects will also determine how stringent your security systems need to be.
Here are a few different security measures that organizations use to keep their information safe:

Physical Document Security

Secure Storage
If you use physical documents frequently, keep them locked up at your office. If you don’t use your files frequently, keep them in an offsite records storage facility that has security cameras, guards, and protections against flood and fire damage.

Surveillance
If you store your documents at your office, install security cameras. They deter theft and will allow you to pinpoint the cause of the theft if one occurs.

Retention Schedule
Storing documents long term is expensive and puts your information at risk. Create a document retention schedule and routinely dispose of expired documents to reduce the risk of unnecessary data exposure.

Paper Shredding
A very common last step in a document’s life-cycle, secure destruction is necessary. Because shredding documents is cheap and easy, it is one of the best ways to safely dispose of expired files. AtYourDoor supplies the worlds best brandings in paper shredders. With a machine
to fit your exact destruction need. Contact us today on info@atyourdoor.co.za or 051-433 1132 to get a professional assessment done at your home or business premises.

Add address

South Africa

The product has been added to your cart.

Continue shopping View Cart