The grace period for complying with the Protection of Personal Information Act (Act) will soon end. By 1 July 2021, every business in South Africa must comply with the Act’s 8 conditions for lawfully processing personal information.
The Act applies to “responsible parties” which it defines as public or private bodies or persons which alone or together with others, determine how and for what purposes personal information will be processed.
To help with your compliance journey, ask yourself:
- WHO – Whose personal information do you process? Aside from personal information of employees, customers and suppliers, you may process data belonging to shareholders, job applicants, potential customers and tenderers.
- WHY – Why do you need to process the personal information? The Act requires that you only process personal information needed for “a specific, explicitly defined and lawful purpose” related your functions or activities. Best practice for purpose specifications recommended by the European Data Protection Board (EDPB) Guidelines on Transparency under Regulation 2016/679 (wp260rev.01) are keeping your language and words simple, avoiding technicalities and legalities, using definite words and avoiding words like “may”, “might”, “some”, “often” and “possible”. The purpose statement “We may use your personal data to develop new services” isn’t acceptable because it doesn’t explain what services are being provided and why the personal information is needed to develop those services. The Guidelines say that: “We will retain and evaluate information on your recent visits to our website and how you move around different sections of our website for analytics purposes to understand how people use our website so that we can make it more intuitive” is a better example.
- WHAT – What personal information are you processing? Only process what you need for the specified purposes because processing more personal information than necessary contravenes the condition of minimality.
- HOW – How do you process personal information? Track the information within your business and between your service providers and identify the people who process it. Document who does what with the information. The Act obliges you to have a written contract with your service providers who process personal information (operators) binding them to comply with the security requirements imposed by the Act. As you remain responsible for processing done by operators, your contract should also regulate service standards, include indemnities for noncompliance and reporting obligations (including immediately notifying you of any data breaches).
- WHERE – Where is the personal information processed? What is the data point of rest for all personal information processed within your business (eg on your website, email system and storage and backup systems) and by your operators. Transfer of personal information outside South Africa is restricted by the Act. You must find out where your information ends up (physically and virtually) and what data privacy laws apply in that location. The Information Regulator appears to accept that the data privacy laws in Europe and the UK are at least equal to the Act but if data ends up elsewhere, you may have to conclude an agreement with your offshore operator binding it to comply with the data privacy standards prescribed by the Act.
Start by mapping the personal information you process and the rest of your compliance obligations will follow.