“I have a small insurance brokerage firm with a number of private clients. To service my clients I have to obtain and keep personal information of them on file. Is POPI going to affect me and will I have to change the way I am currently dealing with my client information?”
The promulgation and phased implementation of the Protection of Personal Information Act 4 of 2013 (POPI), has many businesses wondering, as in your case, whether its commencement will affect the manner in which their business collects and stores the information of clients. This concern is well founded as POPI makes it clear that a failure to comply with it when fully operational, could result in hefty administration fines as well as reputational risk due to non-compliance.
POPI has its roots in the Constitution and aims to promote the protection of the right to privacy with regard to the processing of personal information, and to balance this right against other rights, such as the right of access to information. This includes the collection of personal information and the manner in which such information is used, processed and stored.
POPI applies to the processing of personal information by or on behalf of a responsible party by automated or non-automated means. A “responsible party” is widely defined as “a public or private body or any other person who determines the purpose of and means for processing personal information”. POPI goes even further by also including persons, termed “operators”, who process information on behalf of a responsible party in terms of a contract or mandate. As a consequence, POPI therefore demands that, not only the responsible party, but also the operator which it mandates, must ensure that any personal information acquired is adequately secured and that there are strict measures that meet the requirements of POPI in place for the processing thereof.
From the broad definition of a responsible party as well as personal information, it is clear that your business will most likely be subject to POPI and you would need to ensure that how you deal with such personal information, is POPI compliant. Fortunately, all of the provisions of POPI are not yet operational, and once they become operational, businesses will be granted a twelve month grace period to address their compliance. But time flies quickly, and it would be advisable to use the available time wisely and not delay in obtaining help to conduct an audit of your business and establish whether you are POPI compliant or not, then determine what steps you can take to address any compliance issues and ensure that your reputation remains sound with clients by being fully compliant.