Why you need new business policies before July 2021

Since the POPI Act came into effect on the 1st of July 2020, many businesses have had to rethink the way that they use and store information of individuals. In some ways, it may place a burden on some small business who have been using the same tactics for years to engage with clients and potential clients.

What are some practical implications of the POPI Act that you need to keep in mind?

Since the POPI Act requires information to be kept only for as long as it is used for a specific purpose, and that personal information should be protected, it means that you need to become much more cognisant of where you are storing personal information.

Since you need to dispose of information that is no longer relevant and continue to update your databases regularly, you need to know exactly where the data is stored and how to access it. While the easiest method would be to have an automated solution to dispose of no-longer-used information, this leaves no margin for error in the automated system and could prove costly to design. The POPI Act requires someone to be appointed as a data custodian and if there is no automation possible, the data custodian will regularly have to update the information manually, which could be quite time-consuming.

You also need to focus on what is stored and why you are storing it. The POPI Act stipulates that only information used for a specific purpose be stored. That is to say that if any data you collect from a data subject is not stored in order to achieve a specific and clearly defined goal, it could hold strict legal implications. You are thus not allowed to store any irrelevant or otherwise excessive information. This is especially true of highly sensitive data (such as financial details) that require excellent data protection to be kept safe from cyber-intruders.

How your data is stored should also be considered. The POPI Act requires security measures to be put in place for any data stored (both physically and digitally), which means that all foreseeable risks to data must be accounted for. Think of the practical implications that this might have for your data servers (such as the need to install CCTV to monitor the servers or the way that you encrypt data for safekeeping).

You can only approach someone once for consent for the collection of their information. What this means for direct marketing is that once an individual declines, you are legally prohibited from contacting them again for their information. Data subjects are also at liberty to access their collected information on request and may ask who has access to that information. This means that whose information you collect and use matters, as well as who has access to and/or uses that information. Unless express consent is given from a data subject, you are by no means allowed to share any of their data with a third-party.

Time is ticking on for businesses to become compliant. When the 1st of July 2021 arrives, businesses will be expected to have become compliant with the POPI Act. This means that before the date arrives, businesses will need to have done a data audit to make sure that their data only holds the personal information that the POPI Act allows and implement policies that regulate information collection, storage, processing and destruction. Making sure that you are compliant will take time because deliberate changes need to be made in how you handle personal information, something which cannot be left until the last moment.

One of the best things that businesses can do from here on out is to implement processes that will normalise POPI Act compliance in the day-to-day operation of the business. The sooner, the better.

References:

This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your adviser for specific and detailed advice. Errors and omissions excepted (E&OE)


Posted

in

by

We use cookies to improve your experience on our website. By continuing to browse, you agree to our use of cookies
X

IC Marais

Professional experience:

IC Marais is a certified CA (SA) with public sector and private sector technical knowledge based on 5 years’ Public Sector accounting, auditing and financial management experience and 5 years audit, tax and accounting experience. Detailed knowledge of private and public sector accounting and auditing standards (GRAP, IPSAS, IFRS, IAS, ISA) and public sector financial legislation (MFMA, etc.)

He enjoys the outdoors, hunting and fishing.

ic@newtons-sa.co.za

SCHALK GOUWS

Professional experience:

In 1995, Schalk started as a trainee at Warner and Newton (which became Moores Rowland in 1997 and then Mazars Moores Rowland in 2007) in Bloemfontein. In 1998, Schalk was appointed as manager at Moores Rowland, where he became a partner in 2003. Schalk received his Postgraduate Certificate in Advanced Taxation in 2006 and in 2009 he received his Certificate in the Administration of Estates.

schalk@newtons-sa.co.za

CEDRIC PETERSON

Professional experience:

Cedric started as a trainee at Warner and Newton (which became Moores Rowland in 1997 and Mazars Moores Rowland in 2007), Bloemfontein, in 1986. After completion of his articles, he joined the Special Investigations Division of the Department of Finance (SA Revenue Services) as a senior inspector from 1990 to 1991.

cedric@newtons-sa.co.za

LUCHA GREYLING

Professional experience:

Lucha started her career as a tax inspector at the Inland Revenue Department of New Zealand. After this she worked in commerce in Canada, Mexico and the United States.

On her return to South Africa, she completed her CA training contract with us and has been with Newtons ever since. She became a Partner in 2012.

Apart from her CA(SA) qualification she also holds a postgraduate certificate in Advanced Taxation (2005) and has the overall responsibility for training as our Training Officer.

lucha@newtons-sa.co.za