KEEP UP TO DATE WITH ALL THE IMPORTANT COVID-19 INFORMATIONCOVID-19 RESOURCE PORTAL
FANews
FANews
RELATED CATEGORIES
SUB CATEGORIES General |  Networks |  PROpulsion www.propulsion.co.za | 

How the new POPI act affects intermediaries

07 September 2020 Sanlam

Cyber-attacks are on the rise during lockdown, increasing from the norm of 30 000 daily to 310 000 recorded on the 18 March as criminals exploit the unsecured home networks used by millions of office workers who are now operating remotely. Cyber-attacks are on the rise during lockdown, increasing from the norm of 30 000 daily to 310 000 recorded on the 18 March as criminals exploit the unsecured home networks used by millions of office workers who are now operating remotely. The Protection of Personal Information (POPI) Act aims to mitigate some of the risk with additional disclosures and increased security around access to client data. The POPI Act came into effect on 1 July 2020 giving all companies, including financial service providers and intermediaries, until 30 June 2021 to comply.

Danelle van Heerde, Head of Advice Solutions at Sanlam, notes that intermediaries must ensure third party vendors have the proper security in place to protect against data breaches and ensure that their client information is stored securely.

“The POPI Act supports the trust relationship between client and intermediary by creating a transparent process,” says van Heerde. “Clients give intermediaries access to a host of personal information, so it is imperative that clients trust that their information is safe and that it is only used for the specific purposes disclosed to them.”

After meeting with a new client for the first time, intermediaries must ensure they have permission to continue the relationship and to communicate with the client. Clients must also have the option of opting out or unsubscribing from email newsletters or marketing communications.

Processing relates to any activity concerning personal information and includes any operation or set of operations connected to that information. This can be lawfully done if the 8 conditions listed in the Act below are met:

1. Accountability
Intermediaries must ensure all the provisions of applicable data protection laws are complied with and remain accountable even when third parties are used to process personal information on their behalf.

2. Processing limitation
Data can only be processed lawfully with consent from the client or with legal justification, for example where necessary to conclude a contract or to meet a legal obligation. Only data relevant to the purpose may be processed.

3. Purpose specification
The purpose for which data is collected must be specific, explicitly defined and legitimate. Clients must be informed of the purpose for which their personal information is collected.
Personal information may not be kept for longer than is necessary than required to achieve the purpose, unless required by law, e.g. to meet the requirements of the FAIS Act.

4. Further processing limitation
Any further processing of personal information must be compatible with the purpose for which it was collected.

5. Information quality
Reasonably practical steps must be taken to ensure that the personal information is complete, accurate, not misleading and updated where necessary.

6. Openness
Clients must be aware that the responsible party is collecting their personal information, the purpose of collection and the consequence of not providing information.

7. Security Safeguards
Reasonable precautions must be taken to secure the integrity and confidentiality of personal information and prevent loss, damage or unlawful access.

8. Data subject participation
Clients may ask a responsible party to confirm whether their personal information is held, for detail of the information held and any third parties who may have accessed it and to correct or delete personal information.

“If you manage a small business or brokerage, ensuring POPI compliance can be cumbersome. You may benefit from partnering with compliance experts to implement legislation and evaluate whether your third-party vendors are compliant as well,” notes Van Heerde.

Until recently, companies did not have a legal obligation to inform their clients when their data had been compromised. Under the new POPI act, companies have a legal obligation to inform their clients when data has been compromised or face a hefty fine of up to R10 million.

Overall, the POPI act has highlighted the importance of securing personal information both for clients and intermediaries. “Intermediaries should welcome additional disclosures as an opportunity to further strengthen the trust of their clients,” concludes van Heerde.

Quick Polls

QUESTION

The intention with lockdown was to delay or flatten the Covid-19 infection curve and give both the private and public healthcare sectors time to prepare for the inevitable onslaught. Did the strategy work?

ANSWER

No, the true numbers are not reflected. Almost a quarter of South Africans may already have been infected with Covid-19
It’s too soon to tell. We will likely get a second wave with stringent lockdown regulations in place again
Yes, South Africa bought enough time to make a significant difference. We saved lives and have passed our peak. The worst is over
fanews magazine
FAnews August 2020 Get the latest issue of FAnews

This month's headlines

Ethical behaviour - are you toeing the line?
Latest business interruption developments raise more questions than answers
Brokers remember: You are accountable...
A sustainable pension - How to manage living annuities in uncertain times
Claim stats… life can change in a heartbeat
Are South Africa’s income protection benefit providers ready for COVID-19?
Subscribe now