Explainer: Here’s what you need to know about SA’s massive new data privacy law

Business Insider SA
Protected cellphone
  • The bulk of Protection of the Personal Information (Popi) Act of 2013 comes into effect next month. Businesses will have one year to comply.
  • That means much less spam and robocalls because companies will need your permission to contact you.
  • All businesses, big and small, will need to put things in place to comply, including a privacy policy.
  • For more stories, go to Business Insider's home page.

SA’s massive new data privacy law kicks in at the end of the month, and that will mean much less spam and fewer robocalls in your life.

The Presidency announced on Monday that sections of the Protection of Personal Information (Popi) Act of 2013 will come into effect from 1 July. Companies will have one year – until 1 July 2021 – to comply.

“South Africans will now have the right to privacy afforded to them by the constitution,” says Ahmore Burger-Smidt of Werksmans Attorneys. “We now need to deal far more diligently with the information we collect. Companies can only collect what is necessary and have a legitimate reason to collect that information”

“It’s like when the Consumer Protection Act (CPA) came into force,” says Francis Cronje, an information governance specialist and contributor to the POPI Act. “Before that, people understood they had certain rights, but it didn’t really affect their life. Now if I buy something and it’s not right, I have certain recourse under the CPA.”

The basic intention of Popi, he says is “not to impede the free flow of information. It means that if you collect my personal information, you don’t lose it, and you treat it with respect.”

“Say I buy a watch and the shop asks for my name and surname,” says Cronje. “Now they’re not allowed to share that information with anyone else, or send me marketing without my consent. They can’t share it with people I’m not aware of, or that I haven’t authorised.”

Popi means the end of spam and robocalls – under certain circumstances.

Come 1 July 2021, you’ll receive fewer spam voice messages on your phone (known as robocalls), and fewer spam SMSes. It doesn’t mean they’re going away, says Elizabeth de Stadler, co-founder of Novation Consulting and co-author of "A Guide to the Protection of Personal Information Act".

“But it will be much harder to do, and you will have more control over when you get them”.

You won’t receive unsolicited robocalls and spam texts – and that “unsolicited” is a crucial distinction. Companies need to ask your permission to send you marketing material. If you’ve given that permission, they can contact you until you ask them to stop.

The buying and selling of information will be much, much harder. Companies have built up huge databases of contact details, including your phone number and email address, and these get bought and sold on the open market. That’s not allowed anymore – a company is not allowed to pass on your details to another party. And if they do, you can lay a complaint with the Information Regulator of South Africa, a new office established by the act. The powers of the regulator are substantial. It can levy fines of up to R10 million, or even jail sentences for the worst offenders.

“In countries with similar data privacy laws, a lot of these companies have gone bust,” says De Stadler. “If I were a data broker, I’d be very scared right now.”

Even if you sign up, you’ll be able to opt out for free.

Anyone who has received a spam SMS knows they can be annoying to get rid of. Sending a message back saying “Stop” or “No” costs money.

“Think of someone buying pay-as-you-go airtime, and they can only afford R10 airtime a week,” says Cronje. “Suddenly I’m being bombarded with spam SMSs. For me to unsubscribe costs me R1, and if I’m bombarded with five or six at a time, there goes my airtime for the week.”

It doesn’t mean the end of telemarketing – because that is not electronic, apparently.

So companies can’t send you unsolicited SMSs or robocalls, but they can still cold call you. That’s because, according to Popi, telephone calls don’t fall under electronic communication, says De Stadler. However, voicemails are covered. So robocalls get blocked, but an actual human phoning you up to sell you something is still allowed. If you want them to stop contacting you, you can formally ask them to stop, which they have to do under the CPA.

The way stores use your information for rewards cards and store cards will need to change.

According to Cronje, retailers will need to start thinking differently about how they use your information. Say you had a credit card several years ago, and got rid of it, but still receive marketing information. Under Popi that won’t be allowed anymore. Or what about that clothing store card you signed up for five years ago but never used? Under Popi retailers will need to take steps to destroy your information after a set period.

Corporates will stop asking employees and job seekers for so much information.

“The reality is companies will have to cut back on the extent that the process information,” says Burger-Smidt. If you joined a company recently, or you’ve been looking for a job, then the amount of personal information you need to hand over can seem quite intrusive. Under Popi you can push back and question why the company needs your information, and they need to supply a good reason for wanting it.

According to De Stadler, roughly 60% of data that companies are asking for is out of habit. Organisations are very reckless when it comes to personal info,” says Cronje. “Now they will need to ask permission to retain your CV, or they’ll need to destroy it. And what happens if you leave the organisation? Now they’ll need to have a policy in place to get rid of your information.”

It’s not just big corporates who will be affected – every business will need to comply.

If you own a business, you have one year to comply with the act.

“There are certain things you need to put in place,” says Burger-Smidt. “You need to have an Information Policy, you need to make sure your employees know about Popi, and you need to appoint an information officer.”

That need not be a new employee. You can appoint yourself information officer, but it means you’ll be responsible for ensuring the business processes data correctly, and has a plan for when to get rid of it. You also need to have a plan in place in case you’re hacked and someone steals that data.

It’s not just electronic documents – it means hard copies too.

Say you own a guest house. It’s reasonable to make copies of traveller’s identity documents or passports because you need that information legitimately. However, you can’t just put it in a drawer and forget about it. You need to make sure that information is kept safely, and disposed of safely. You’ll need to take reasonable steps to make sure you don’t get hacked and, if you do, you’ll need to tell your guests as soon as possible. It doesn’t just apply to electronic copies, says Cronje. It applies to hard copies as well. So invest in a shredder.

If you have a business, you’ll need to update your website

Every business that has a website will now need to include a privacy notice indicating what you do with customer information, how you process it, and how long you keep it for, says De Stadler.

Receive a daily update on your cellphone with all our latest news: click here.

Get the best of our site emailed to you daily: click here.

Also from Business Insider South Africa:

Rand - Dollar
Rand - Pound
Rand - Euro
Rand - Aus dollar
Rand - Yen
Top 40
All Share
Resource 10
Industrial 25
Financial 15
All JSE data delayed by at least 15 minutes Iress logo