The Protection of Personal Information Bill or more commonly referred to as POPI, has far reaching consequences for any entity or individual that processes (i.e. collects, handles, retrieves, stores,retains, destroys, deletes etc.) personal information. POPI makes provision for 8 conditions a company, organisation or person has to comply with if it intends on processing personal information lawfully.
With the fast and ever-increasing rate of growth in the technology sector, and more specifically the Information and Communications Technology (ICT) sector, the privacy or protection of personal information is becoming more and more relevant to every online individual's day to day life.
With geo-location and / or -tagging, IP address identification, web-cookies, Facebook and other social networking profiles, various mobile platforms, cloud computing, sharing of information and the targeting of all this information by big corporates or entities for targeted sales, the world has become a much smaller place, necessitating the protection of personal information.
Gone are the days where only your name, address and ID number are considered personal information. Today, as exampled above, a wide array of bits of data can be stringed together to infiltrate our privacy.
However, as with most developing countries, access to the internet in South Africa is still limited.
BUT, a thriving mobile industry has given large entities ample opportunity to exploit the privacy of mobile users who do not necessarily have other forms of communication, sometimes leaving them incurring unnecessary costs through unwanted subscriptions and / or misleading advertising.
POPI will inter alia, amongst many other things, try to regulate these forms of exploitation. It will also enforce entities to establish the necessary security safeguards surrounding the processing of personal information.
For the first time we will have legislation that enforces entities to utilise appropriate Information Security standards.
It will further try to curtail localised spamming, it will combat ID theft and hopefully open certain trade barriers by establishing South Africa as a country with adequate data protection legislation.
The Act will aslo create better transparency so that individuals or data subjects whose personal information (PI) is utilised, would be able to understand what their PI is being used for, how it is distributed, and why they have to hand over certain pieces of PI, where it might be deemed as unnecessary.
Data subjects will also have more control over their own information and be able to correct, rectify or request deletion of their PI.
Organisations in turn should therefore ensure that they make enough provision to enable their own enforcement of the 8 POPI conditions.
POPI implementation is organisation wide and touches on every department or business unit within companies, schools, hospitals, mines, car dealerships, estate agencies, universities, insurance and banking houses, couriers and smaller entities such as doctor practices, attorneys, faxing and copying companies to name but a few.
It is complex (spanning across all formats, media or records), yet achievable, but sideline sitting and a wait and watch approach will land any entity, irrelevant of size or shape, eventually in merky regulatory water.