The fast and definite approach of the enforcement of the Protection of Personal Information Act (PoPIA) has left many uncertain about the boundaries of consent within this new piece of legislation. To avoid substantial penalties, organisations must have consent for all the data possessed by the organisation.
PoPIA was implemented on the 1st of July 2020. A grace period of 12-months has been granted, after which all are expected to comply. While the Act has been put into effect for the protection of personal information processed by public and private bodies, financial compensation for damages, fines that tally in the millions, and up to 10 years’ imprisonment may be the result of non-compliance.
“With such high non-compliance penalties, many may feel intimidated by the Act and the pressure of compliance. For this reason, Impression Signatures has made it a priority to provide relevant information about PoPIA to all varieties of businesses. With sound, digestible information at hand, we hope to empower even the smallest of businesses to ensure compliance and avoid hefty penalties,” explains Carrie Peter, Solution Owner at Impression Signatures.
The Impressions Signatures PoPIA Campaign seeks to provide clear and relevant information about the requirements and obligations of this new Act. Peter explains that there are clear and strict requirements outlined in PoPIA regarding consent. The onus of proof of obtaining consent is the responsibility of the individual or entity responsible for the collecting of the information. As such, it is the organisation’s responsibility to prove that consent was obtained from the customer and not vice versa.
“Although this seems simple enough at face-value, this regulation may require organisations to restructure their data systems to capture and provide the relevant information. For many organisations this may mean that a complete re-engineering of current systems is required,” confirms Peter.
Further to the proof of obtained consent, organisations must also comply with data storage and security standards as set out by the Act. This may pose further challenges for organisations as most data management infrastructures have not been designed with privacy as the most pivotal concern.
“Organisations often hold large amounts of data, spread throughout operational sectors of the business. This makes compliance privacy and consent requirements a difficult task. Organisations will be required to collect, catalogue, and digitise their vast amounts of data for it to be processed lawfully, and for the consent and privacy regulations to be put in place,” continues Peter.
According to the Act, organisations may not utilise an individual’s data unless they obtain permission from that individual to use the data and unless the individual has been offered some value for the received data. Once this has happened and the organisation has obtained the data, with the required consent, high protection measures must be in place to ensure the data is protected and kept private beyond the purpose for consented use.
When it comes to the issue of consent the law is clear; “Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.” Therefore, organisations must obtain consent from the individual or entity from whom the data is being obtained. The organisation must also be able to substantiate that there is a valid reason for the obtaining of private information, such as requiring an address for delivery purposes. Additionally, further consent is required if any of the given information needs to be forwarded to any third parties.
“Consent may be considered the lynchpin of PoPIA. The customer has the right to withdraw their consent at any point in time, with a few special exceptions. Given the severity of punishment for non-compliance and the difficulty in ordering data and obtaining appropriate consent, utilising a data solution system that aids in streamlining the process would be highly advisable,” concludes Peter. “These systems allow users to follow an easy and effective process, while the organisation can rest assured that the required data management, and needed consent is being seen to.”