The Protection of Personal Information Act (or POPI Act) is South Africa’s equivalent of the EU GDPR. It sets some conditions for responsible parties (called controllers in other jurisdictions) to lawfully process the personal information of data subjects (both natural and juristic persons).
All organizations that collect, process, store or share personal information must abide by the rules and regulations of the Act. The POPI Act does not stop you from processing and does not require you to get consent from data subjects to process their personal information.
Whoever decides why and how to process personal information is responsible for complying with the conditions. Comprehensive data privacy and data security initiatives will need to be implemented so that the technology, systems and processes used for information-gathering and information management comply with the law.
Broadly speaking, the POPI Act sets certain conditions for the acquisition, storage and management of personal details so that individuals (and legally recognized entities) know what is being done with their data. The law also defines the obligations and responsibilities related to information management, including quality control and security.
The key purposes of the POPI Act (as decreed) are:
To give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party.
To regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information.
To provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act.
To establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfill the rights protected by this Act.
Who is bound by the POPI Act?
All organizations that collect, process, store or share personal information must abide by the rules and regulations of the Act.
Comprehensive data privacy and data security initiatives will need to be implemented so that the technology, systems and processes used for information-gathering and information management comply with the law.
Broadly speaking, the POPI Act sets certain conditions for the acquisition, storage and management of personal details so that individuals (and legally recognized entities) know what is being done with their data. The law also defines the obligations and responsibilities related to information management, including quality control and security.
Streamline Compliance Efforts with Microsoft Compliance Manager
Because achieving organizational compliance can be very challenging, understanding your compliance risk should be your first priority. Customers have told us about their challenges with the lack of in-house capabilities to define and implement controls and inefficiencies in audit preparation activities.
Microsoft’s Compliance Manager and Compliance Score help you continuously monitor your compliance status. Compliance Manager captures and provides details for each Microsoft control, which has been implemented to meet specific requirements, including implementation and test plan details, and management responses if necessary. It also provides recommended actions your organization can take to enhance data protection capabilities and help you meet your compliance obligations.
To learn more about how Microsoft and First Technology can help you easily and rapidly comply with POPIA and GDPR, you can download our latest Ebook - “Microsoft 365: The POPI Act, GDPR and Compliance”.
For any queries about how First Technology, in partnership with Microsoft, can help your business evolve, get in touch with Jolene Strydom on jolenes@firsttechnology.co.za or call us directly on 021 525 7000.