Emigrating while retaining your property?
February 8, 2021

The POPIA is in effect: What this means for you

Data is everywhere. In fact, because of the nifty autosave setting on the word processer used for writing this sentence, new information is being added to the Internet as it is typed. Every day we are engaging in hundreds or even thousands of little data exchanges. When we take stock of these minute transactions, it’s alarming how much of the information being collected, sent, and stored on the internet is personal information.

Whenever you give out personal information (whether in written, oral, digital, or any other form), you’re essentially giving over information about yourself in the hope that whoever is on the receiving end will use your information responsibly, ethically, and lawfully. Without protection for the personal information we use, we would put ourselves at great risk.

While data protection policies had been in place all over the world for a while, South Africa came a little late to the proverbial party. Having passed the Protection of Personal Information Act (POPIA) in November 2013, it has taken almost seven years for it to be put into effect. On the 1st of July 2020, the Act was finally put into effect with a year’s grace period for data-collectors to become compliant.

This means that the information you process regarding data subjects (people whose personal data is being collected and processed) will soon be subject to very strict data protection regulations in order to uphold privacy standards mandated by the Constitution.

POPIA outlines eight general conditions under which personal information may be processed and used as of the 1st of July 2020. These conditions are as follows:

  1. Accountability
    For private information to be adequately protected, there must be someone who takes responsibility for the handling thereof. For this reason, POPIA requires someone to be appointed as responsible party for the collection and processing of information of data subjects. The appointed party must ensure that the conditions outlined in POPIA are complied with as it relates to the purpose and means of collecting, processing, storing, and disposing of personal data.
  2. Processing Limitation
    This condition requires personal information to be processed lawfully and without infringing on the privacy of the data subject. The data may only be processed for the purpose for which it was required. There are also a wide range of other limitations on the protection of data that relate to consent, withdrawals of, and objections to the processing of the data subject’s personal information. Further limitations are given regarding how, and from whom, the data may be collected.
  3. Purpose Specific
    According to POPIA, compliance requires that all data be collected for a specific purpose that is clearly defined and lawful. Not only should the purpose for data collection be specific, the data subject must be made aware of what this purpose is prior to the processing of their data. Additionally, data records may only be kept as long as it is used for achieving its specific purpose, after which the data must be destroyed.
  4. Further Processing Limitation
    Any further processing of the personal information of the data subject must be similar to, or compatible with, the original purpose for which it was collected.
  5. Information Quality
    The party responsible for the protection of personal information must ensure, by all reasonable means, that the data is complete, accurate, not misleading, and up to date. Any changes must be related to the original purpose for which the data was collected.
  6. Openness
    All processing operations must be documented and maintained by the party responsible for the processing of personal information. The data subject also reserves the right to be notified of any information collected as well as the particulars of the information and those collecting and keeping it.
  7. Security Safeguards
    Personal information must be kept safe from damage or loss as well as unlawful access. The responsible party must inform the data subject of all reasonably foreseeable risks to the collection of information, and must take measures to safeguard the information and maintain and update these measures as is necessary. Further measures must be put in place when the personal information is used by a third-party entity. Furthermore, the data subject must be made aware of any possible security breaches in which their information may have become compromised.
  8. Data Subject Participation
    The data subject reserves the right to request access to any information collected about them and have the right to know who has access to the information. They may also request that the responsible party correct or dispose of information under their control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, obtained unlawfully, or that no longer serves its intended purpose. The data subject must be notified of any changes made.
    Please note, however, that these conditions outlined above pertain to the most general cases of data collection, processing, storing and disposal. There are a multitude of exceptions to the conditions outlined above that may be relevant to your situation and purpose for processing personal information. So, in order to ensure compliance, it is highly advisable to speak to your attorney regarding the responsible and lawful processing of personal information.

The onus now falls on you to keep your data subjects’ information safe by becoming compliant with POPIA and avoid unnecessary trouble due to the mismanagement of personal information.

Reference list:

This article is a general information sheet and should not be used or relied upon as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your advisor for specific and detailed advice.  Errors and omissions excepted (E&OE).

Michael Phillips

CA(SA) Registered Auditor – Director

Mike is the director of RDL Chartered Accountants Inc. and as a Registered Auditor has the knowledge and ability to comply with the latest auditing standards and financial reporting requirements and he completes all the statutory audits required by our clients.

Chris Johnson

Trainee Accountant

Chris, studying for his Chartered Certified Accountant [ACCA] qualification joined the practice in February 2016 and maintains a portfolio of clients attending to the write up of client general ledgers to trial balance, completion and submission of client statutory returns and management accounts. Chris holds a Diploma in Accounting and Business from ACCA and is a registered Business Accountant with SAIBA.

Hendrietta Soafo

Statutory Clerk

Hendrietta has been with LDC since 2004 and oversees the entire statutory function of LDC. She communicates regularly with the Regulator – CIPC and ensures that all of our clients are in good standing in respect of annual returns, company registers, share registers and directors and officers registers. She also attends to all new company incorporations, director appointments, share transfers and minutes of meetings.

Lisa Sampson

Senior Bookkeeper

Lisa, a Certified Bookkeeper joined LDC in 2008 and oversees the bookkeeping role of all LDC clients. She has extensive Pastel Accounting and Payroll experience and prepares all client files for year end annual financial statements. She also ensures all statutory returns are completed and submitted to the various governmental departments.

Teresa Verdonese

Tax Manager

Teresa has a B Com Accounting and an LLB (University of Johannesburg), and is in process of completing her Diploma in Advanced Taxation (UNISA). She specialises in Corporate & Individual taxation & manages the tax base from preparation to assessment. Teresa is a Registered General Tax Practitioner with the South Africa Institute of Tax Practitioners (SAIT).

Paddy Crichton

CA(SA) – Director – Accounting

Paddy completed his CTA at the University of the Witwatersrand and articles at Aiken and Carter (now KPMG) where he qualified as a chartered accountant. Prior to joining LDC in June 2017 he was employed as Financial Manager and Company Secretary in manufacturing and wholesale distribution companies, most recently as Financial Director of a leading international kitchen appliance distributor. Paddy oversees the full accounting function of LDC

Bob Lees

FCG(CS) FCIBM Professional Accountant (SA) – Managing Director

Bob started the practice in September 1991 and is the Chairman and Managing Director in overall charge of LDC Accounting and Tax Consultants Inc. He has three professional business qualifications and holds practicing certificates issued by Chartered Secretaries Southern Africa and South African Institute of Professional Accountants and for many years served on Committees and the Board of Chartered Secretaries Southern Africa and the International Council of the Institute from 2006 and as a vice president from 2009 to 2011.