When asked how he would at first approach a client when considering the implications of the new POPI Act, Terrance Knott-Craig, a coach at The Springboard Academy, who participated in the recent episode of the Small Business Development Practitioner Webinar Series, said that he can support clients in most things, but “when it comes to actually doing what is required by POPI, it is going to be a different issue.”
He said that he can ask small business clients what they know about POPI as a conversation-starting point and then help them to understand the context and implications of the requirements for keeping the personal information of others, but not pretend to be a legal expert who can offer all the services needed to be POPI compliant.
The title of this webinar was “POPI – What you must guide your small business clients in doing,” which was the first episode presented as a new partnership between the Small Enterprise Development Agency (SEDA), the Institute of Business Advisors of Southern Africa (IBASA) and the Entrepreneurial Planning Institute (EPI).
Knott-Craig emphasised that the legal detail should be attended to by an expert, but that business advisors and small business support practitioners have a very important role in the introduction of their clients to the POPI requirements and the implementation of expert input within the clients’ working environment.
“I need to sit with my clients and help them create a framework, a roadmap, that they need to follow… step-by-step where they need to go. That is the place where I’ll have the most impact with my clients,” he said.
Varonique Philander, the small business governance expert from Chaya Legal who presented details on POPI requirements during the webinar, agreed that generalists such as business advisors have an important role to play in helping their clients to make a culture shift when it comes to the way they deal with information.
“There is a culture of dealing with personal information in South Africa, where we just share details… we don’t really think about it that much. But this culture needs to change so that small businesses are able to keep the personal information of others safe and destroy the information they do not need,” she said.
Webinar host Thobeka Poswa pointed towards the results of the attendee poll presented during the webinar where nearly two-thirds of those that participated said they are not well-informed about POPI requirements while less than a fifth said they are fully informed about POPI requirements. She noted that practitioners have the duty to inform themselves and make use of opportunities such as the Small Business Development Practitioner Webinar Series.
During the webinar, Philander provided a clear and concise framework that business support practitioners can apply to the small business context and she explained the detailed requirements stipulated by the POPI Act.
Some of the important points noted during Philander’s presentation were:
- In 2016 the Information Regulator was established to serve as a watchman on privacy rights in South Africa and to investigate complaints for breach of personal information protection rights.
- The regulator’s mandate includes enforcement of the Protection Of Personal Information (POPI) Act, which was promulgated in 2018 for commencement by July 2020, but which date was extended by a year.
- All the “personal information” of individuals and legal entities like companies are included as “data subjects”, implying that a business must manage the information of its clients, suppliers, staff, and any other parties with extreme care.
- It is a fairly widespread misconception that smaller businesses are exempted or are allowed leniencies, implying that most small businesses are thinking they do not have to comply, or that they can quickly create a policy document and be compliant, but that they are not.
- Data subjects have the right to be notified if their personal information is collected, to request access to the records, that personal information must be corrected or even that it must be destroyed if there are no good reasons for keeping the information, and they have the right to instigate civil proceedings if their rights are violated.
Philander explained the details of the eight conditions covered by POPI, namely:
- Accountability: The person or organization collecting personal information has a duty to adhere to the principles to protect personal information.
- Processing Limitation: This means that personal information can only be processed if gathered directly from the data subject or where there is a legal duty or contractual obligation to do so.
- Specific Purpose: The personal information must be collected for a specific purpose and the data subject must be aware of the purpose and who the recipients of the personal information will be.
- Further Processing Limitation: Personal information collected can only be processed for a specific purpose, and if further processed it must be shown that the reason for such further processing is the same as the original purpose.
- Information Quality: The person processing the personal information must make sure that the information is complete, accurate and not ambiguous.
- Openness: The person processing the personal information must ensure that the data subjects are aware that their personal information is being collected, the identity of the person or organisation collecting the personal information, whether the provision of the personal information is mandatory or not and the consequences of not responding, and whether the personal information collected is required according to law.
- Security Safeguards: Technical and organisational measures should be implemented in order to safeguard personal information from the potential risk of loss, damage or destruction and unauthorised processing and use.
- Data Subject Participation: The data subjects have access to any information held by an organisation or a person; are entitled to know who has access to their personal information; and may that their personal information be corrected.
During the webinar updates on upcoming opportunities were provided by Mpho Mofikoe (Managing Directors at IBASA), Bongi Msibi (Materials Development, Sourcing & Training Coordination Manager at SEDA) and Bonny Mbukulwa (Curriculum Design and Materials Development Specialist at SEDA).
- To join the upcoming CPD webinar you can << REGISTER HERE >>.
- Christoff Oosthuysen is the webinar producer, Founding CEO of the Entrepreneurial Planning Institute (EPI) and General Partner at Seed South Capital.