GDPR and POPI – MUST SOUTH AFRICANS COMPLY?
The GDPR is an European Union regulation and does not have general effect in South Africa. It is not a local law in this country. However, parties that process personal information in South Africa may have to comply with the GDPR. This is because the GDPR does have so-called “extra-territorial application”.
Does this matter in South Africa?
A person or entity in South Africa will need to comply with the GDPR’s requirements if they process personal information of someone based in the EU. But, this will only be the case if the information is processed in relation to the offering of goods or services or the monitoring of behaviour that takes place in the EU. For example, you will need to comply with the GDPR if you sell products to people in the EU or if you have a website that tracks the behaviour of people in the EU by using cookies.
IN PURSUIT OF POPI READINESS
Why it is vital that companies practically understand POPI and the consequences of not doing so now.
It is important to do a high-level analysis of the personal information in your company before embarking on the POPI implementation journey. Companies should be doing this now and not waiting for the 1st July 2021.
Organisations should have already started to identify the risk areas and be working on these. Alongside this activity, there should be a task team that takes on the responsibility for POPI compliance and readiness. We can help form the test team. Contact us here to find out more.
There are many misconceptions surrounding POPI. Many people do not even realise that POPI is not yet properly in force. Organisations need to understand when POPI will apply to them, and when not. If they understand how POPI works, they can adapt their processes accordingly.
So, what are the three key factors to consider when preparing for POPI?
- Determine what kind of personal information you are processing and why you are processing it.
- Accept that POPI compliance is necessary to avoid fines and reputation damage. Also accept that it can also make your business more efficient and streamlined.
- It will be important to raise awareness in your organisation. It makes it easier if people in your business are familiar with POPI’s requirements and know where the issues lie.
If your organisation retains large quantities of personal data, you need to identify the various types of information being collected and retained. Then you can decide whether you can limit your collection and retention practices. Determine whether you need all the information currently being retained and whether some of it can be deleted.
Are you ready for POPI? Contact us here to learn more.