This Blog is written by Bamanye Gqanabisa, a Third-Year Law Student of Nottingham Trent university

The Evolution of Data Privacy Laws in South Africa: A Post-POPIA Era

The digital age has increased the use and accessibility of personal data which has led to increased privacy concerns all over the world. As a result, most countries have instituted laws that guard personal data and control how organizations carry out such data. In South Africa, the regulations of data protection have majored in the year 2020 with the passage of the Protection of Personal Information Act (POPIA). This blog post will cover the implications of POPIA and how businesses and people are navigating to adjust to the new rules in data protection, given the context of the increasing force of data protection rules across the world.

Understanding the Purpose of POPIA

The Protection of Personal Information Act, POPIA was designed to advance the protection of personal information processed by both public and private individuals/organizations. Its main goal is to protect the interest of individuals by putting strict measures on the collection, processing, use, and disclosure of information relating to identifiable persons. According to POPAI personal information means any information that relates to the data subject and includes any information that identifies the data subject, such as an identification number, symbols, electronic, visual, or postal address, biometrics data, etc as well as online identifiers such as IP addresses. In achieving that effect POPIA aligns the South African data protection laws to international best practices, particularly the GDPR.

This is a major development involving data in the southern African country since the passing of POPIA. As a result of the new law, before the Act South Africa had weak data privacy laws and companies existed in environments that had little regulation. POPIA has shifted the balance in this regard by putting in place a legal regime that requires corporate entities to factor in data protection as a critical area of compliance or risk hefty fines for breach of the Regulations.

Key Provisions of POPIA

Some of the critical provisions of POPIA include:

· Accountability: The act applies to organizations that both collect and process personal data and under the act they are mandated to be compliant. This puts the businesses on their sues for any personal data that has been used wrong within their operations.

· Lawfulness and Minimality: However, POPIA offered some provisions that an organization must collect data and process in a lawful and reasonably proceed properly and must collect data that is reasonable and necessary for a particular purpose only.

· Data Subject Participation: POPIA entitles the individuals called ‘data subjects’ to control their personal information for instance access, rectification, or even objection to the processing of their data.

· Security Safeguards: Organizations are required to apply adequate security procedures that will prevent data loss, damage, or access by unauthorized personnel. Any loss of data must be done in compliance with the law and must be done to the Information Regulator and the affected individuals.

· Cross-border Data Transfer: POPIA prohibits the transfer of data to other regions that do not meet the international data protection standards and puts pressure on organizations that operate in different parts of the world.

Businesses and Their Adaptation to POPIA

In this article, it will be seen that the POPIA has created new measures or duties for businesses, to which many changes have been made to how personal information is managed. Most companies have had to implement legal compliance solutions, update internal policies, and confirm that their IT infrastructure complies with the security specifications mandated in the act.

The most significant problem companies encounter as they strive to establish compliance with the regulation is the principle of data minimization, which is the only collection of data that is appropriate to the objective of the task. This has made many organizations redevelop their data-gathering procedures and place increased restrictions on the kind of and amount of private information that can be collected. Failure to adhere to this principle attracts serious consequences and stiff fines of up to R10 million for the company and even a jail term for executives in serious cases.

Another area of change has been in the field of security especially as related to cyber security. It has now become mandatory for businesses to put measures in place to ensure that there is no violation of their data. This often means embracing new technologies and having regular reviews, as well as educating people about best privacy practices. Given the increasing threats of cybercrime, POPIA also emphasizes security safeguards as appropriate, mainly because a business needs to be ready for a quick reaction to a particular data breach. Failure in this regard results in the loss of the institute’s reputation, and the loss of the customers’ trust, and this financially costs the organization much.

B2B firms and firms dealing with data that flows across South African borders have not been exempted from the challenge of coming to terms with the cross-border transfer restrictions. This has forced many companies to rethink their data sharing with third-party service providers situated in other regions of the world including South Africa. These businesses need to guarantee that their legal environment has measures and standards on data protection as provided by POPIA. Noncompliance with this provision may attract consequences of Penalty as well as Effectiveness/Interference with International activities.

Impact on Individuals and Their Rights

To the individuals, POPIA has provided them with an outer cover over their information that was missing before. Previously, South Africans had virtually no say in who had access to their data or how it was disseminated since data owners often woke up to find their information leaked to other parties or their numbers used for promotional purposes without they are opting in. This has, however, been made possible by POPIA whereby individuals have clear rights regarding their data, namely, the right to – access one’s personal information, request corrections of inaccurate information that is processed, and request that their information be erased. This has also made it possible for South Africans to be more in charge of their information as well as seek remedies if their right to privacy is infringed.

In addition, due to the new act, the scenarios of people providing personal data protection make more informed decisions. Among the provisions of POPIA clients are required to give the data subjects adequate information about the purpose of processing their data and the anticipated third parties with whom their data may be shared. This has led to the development of a culture regarding privacy in a way that when people are required to provide information, they are very careful about who they give that information and why.

Conclusion

The POPIA has brought a new era of the data protection of individuals in South Africa. POPIA has put South Africa on par with the rest of the world where there are higher expectations that have been placed on entities while returning individuals power over their data. Although businesses have felt the dynamics and attempted to grasp some of these changes, POPIA has generally improved society’s data subject on data privacy and protection which makes the digital world a safer place for the users and businesses. Due to the increasing concern for data privacy in the world, the new experiences in the post-POPIA environment will be valuable in further developments in South Africa.

References:

1. POPIA, Section 99: Penalties and Offenses.

2. POPIA, Chapter 8: Security Safeguards.

3. POPIA, Section 72: Transfers of Personal Information Outside South Africa.

4. POPIA, Chapter 3: Conditions for Lawful Processing of Personal Information.

5. Information Regulator South Africa, “Your Rights Under POPIA.”