8 Basics of privacy law (PoPIA) for Start-ups

Entrepreneurs starting to think about setting up their company operations may have pondered over the implications of the new information privacy law known as PoPIA on their start-ups. Although you may be forgiven for thinking so, PoPIA is not the evil Secrecy Act that has caused a recent media uproar; it's actually South Africa's new superhero. It's here to defend and protect citizens' personal information against abuse. So how do you make sure that you don't find yourself on the down side of an epic battle with the Protector of Personal Information? The Act gives 8 basic conditions on how to stay on the right side of the law.

1. Accountability

PoPIA makes all those organizations that collect and use the personal information of people accountable for how they collect and use it. Those whose data is being used (called data subjects in the Act) have rights in terms of their data.

2. A Limit on Processing

Simply put, the Act limits the type of data that you can gather from people and the way that you can collect it.

Rule #1

Minimality: Keep the amount of data that you collect to a minimum. "Adequate", "relevant", "not excessive" are the words used to describe the information that you can process.

Rule #2

Consent: You can only collect the personal information of a data subject if that person consents to it.


Direct Collection: You must collect information directly from the data subject herself, unless that information is already and deliberately made available to the public by the day subject.

3. A Specific Purpose

You need to have a very specific purpose for collecting personal information, and you may only collect the type of data that is necessary to fulfil this purpose. Consequently, you may only keep this information for as long as you need in order to fulfil this purpose.

4. Further Processing Limitation

This condition is to do with third-party access to information. If your business involves you passing on the personal information that you have for further processing to another organization, you will need to ensure that the purpose of this 'further processing' is consistent with the original purpose (that is, the purpose that the data subject consented to).

5. Information Quality

You are now responsible for making sure that the information that you are processing or storing is complete, precise, not deceptive and up-to-date.

6. Openness

Documentation that describes the processing operations of personal information must be maintained. You will need to notify the data subject when you are collecting their personal information, letting them know what exactly is collected, the source of collection, the name and address of the party doing the collecting, the purpose of collection and any other relevant information.

7. Security Safeguards

Because you are responsible for the information in your possession, it follows that you need to make it as secure as possible. You will need to take measures to ensure that you prevent loss, damage, unauthorized access and unauthorized destruction of the data in your care. You are also responsible for notifying the Regulator and the data subjects of any breach of security.

8. Data Subject Participation

The data subject is allowed to have access to their information as it is kept by you. Data subjects can ask you if you have any of their personal information. They can even ask you for a copy of the record that you have and the identity of third parties that have access to it. They can also ask

you to correct erroneous information that you have on your record.

#SouthAfrica #DigitalPrivacyLaw #PoPIA