FANews
FANews
RELATED CATEGORIES

POPI – hardly anything is prohibited; but don’t ignore it

13 August 2014 Elizabeth de Stadler, Novation Consulting

In any situation, insufficient knowledge can lead to over -reactions and people suspecting the worst. This has been the case with POPI, said Elizabeth de Stadler of Novation Consulting. Addressing compliance officers at the recent Compli-Serve SA POPI seminars around the country, she said that, in fact, POPI prohibits hardly anything and businesses should “beware of oversimplified, alarmist views;what you do now you will still be able to do, with only a few adjustments to how you, for instance, interact with customers.”

While the Act was promulgated in November last year, an effective date has yet to be set, nor have the accompanying draft regulations been finalised, although these are expected to be more procedural than substantive. Furthermore, from the effective date, businesses will have a grace period of somewhere between one to three years. POPI will, however, apply to the personal information companies have now.

According to de Stadler, the majority of privacy breaches are the result of identity theft. Perpetrators are not above ‘dumpster’diving for pieces of paper with bits of identify information. “We tend to think about online hackers these days, but hard copies are still the biggest risk.”

“Personal information is not necessarily private information, so read the definitions carefully,” de Stadler said. “Just because a piece of information is freely available does not mean you can do what you want with it.”

POPI attempts to balance the right to privacy and the protection of personal information with other rights, such as the right to access to information. It aims to protect the free flow of information both within South Africa and across its borders and applies to ‘responsible parties’ domiciled in SA and regulates the sending of information outside of SA for processing.

“Globalisation is an ongoing challenge for law-makers: information is everywhere and does not respect national boundaries,” said James George, a compliance manager at Compli-Serve and editor of CompliNews.

Triggers

POPI is about how businesses collect process and distribute personal information over the entire life cycle of the relationship with a customer. It applies to all staff members and juristic persons. ‘Processing’ means “any operation or activity or any set of operations whether or not by automatic means” and includes a wide range of examples. The definition of ‘personal information’ is also broad and includes things such as biometric information, personal correspondence and personal views or opinions. “If a client is likely to be surprised about how you’ve used their personal information, think carefully before going ahead,” said George.

Requirements

In plain English, POPI requires businesses to:

- Know what data they have and why they have it
- Be transparent about how they use data
- Have the right consents from customers
- Ensure their data is secure; and
- Get rid of data when it is no longer needed.

“If you’re purchasing information from a data company, it’s your responsibility to ensure your supplier is POPI compliant,” George says.

Consent

“You generally don’t need consent to process information unless you’re doing something very strange or surprising, so try not over burden your customers; proper notification will often avoid the need for consent,” de Stadler said. However, in the case of direct marketing consent is required..

What should you do now?

Get a project team together and think about what data you have and what you do with it. Be careful of high level audits that can miss important aspects of your data processes and will usually tell you what you already know. Definitely get rid of any data you don’t need as, if it’s still in your possession when the Act comes into effect, POPI will apply. Strive to improve your data and physical security, and institute training and awareness programmes for your staff.

Quick Polls

QUESTION

Early 2025 asset manager outlook statements point to opportunities in emerging markets and the US dollar. How do you approach these factors in client portfolios?

ANSWER

Diversify across emerging and developed markets
Focus on long-term opportunities in China and India
Maintain a cautious stance around US-dollar investments
Prioritise local markets for safer EM growth
fanews magazine
FAnews November 2024 Get the latest issue of FAnews

This month's headlines

Understanding treaty reinsurance – and the factors that influence it
Insurance brokers: the PI scapegoat
Medical Schemes' average increases for 2025
AI is revolutionising insurance claims processing and fraud detection
Crypto arbitrage: exploring the opportunities and risks
Subscribe now