The Protection of Personal Information Act, generally known as the PoPI Act or POPIA, intends to promote the protection of personal information processed by public and private organisations and to introduce certain conditions so as to establish minimum requirements for the processing of personal information.
The Act applies to any person or organisation who collects and uses any data relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently.
The Information Officer is responsible for ensuring that your organisation complies with the POPI Act. They must be registered with the Information Regulator.
Under the POPI Act you only be able to direct market to people on an opt-in basis. You can contact someone only once to get their consent to send them more communication.
Being ISO 9000-2001 compliant does not make you POPI compliant. ISO 9000–2001 is an international standard and the POPI Act is a legislation. Meeting the ISO 9000-2001 standard aids you in meeting security compliance. However, an organisation can have security without privacy, but you can't have privacy without security. There are specific privacy requirements as laid down in the principles of the POPI Act that you as an organisation needs to comply to, to become POPI Act compliant.
You will need to draw up a Records Retention Policy detailing how long you retain PI and other confidential information for all data subjects. Personal Information must be kept only for as long as to fulfil the intended purpose for which the information was collected or processed.
If you are found to be misusing personal information you not only face regulatory sanctions, but you also run an actual risk of damaging client relationships and overall business reputation. The Information Regulator may hold you liable to pay a fine of up to R10 million and/or serve a prison sentence of 12 months up to 10 years.