All You Need to Know about Compliance with POPIA

Last updated on September 28, 2021

All You Need to Know about Compliance with POPIA

POPIA is South Africa’s first comprehensive privacy statute, otherwise known as South Africa’s data protection law. It came into effect on 1 July 2021.

POPIA aims to give effect to the constitutional right to privacy, whilst balancing this against competing rights and interests, particularly the right of access to information.

Read ahead to find out more about POPIA what you need to do for the compliance of WordPress sites.

Who Does POPIA Apply to?

POPIA will apply to any company any organization irrespective of the size, sector, or location that process the personal information if the organization is

  • Based in South Africa, or
  • Based outside of South Africa, but processes personal information within South Africa (unless it is only forwarding personal information through the country)

This means any non-South African business that does business in South Africa should comply with the POPIA regardless of whether or not the business has any physical presence in the country.

What’s the Purpose of POPIA?

By enforcing this data protection regulation the South African government aims to fulfill the following three objectives.

  1. To promote the protection of personal information processed by public and private bodies.
  2. To introduce certain conditions so as to establish minimum requirements for the processing of personal information.
  3. To regulate the flow of personal information across the borders of South Africa.

What are the 8 Principles Covered under POPIA?

Accountability

The first principle implies the need for organizations to appoint an information officer for overseeing compliance with the Act.

Processing Limitation

The second principle puts control on how and when personal information is processed. It states that it should be reasonable, lawful, minimal, with consent, having proof, and subject to the objection of the data subject. Personal information should also be collected directly from the data subject.

Purpose Specification

The third principle covers the purpose of collecting information and its retention. The purpose should be specific, lawful, explicit, and that it shouldn’t be retained any longer than is necessary for achieving the purpose for which it was collected. 

Further Processing Limitation

The fourth principle states the grounds on which processing of information should take place. It should only be for the purpose you collected the information and should comply with the purpose of collection within the third principle. 

Information Quality

The fifth principle contemplates the information quality and states that it should be complete, accurate, not misleading, updated and that the responsible party must ensure it.

Openness

The sixth principle is all about the openness of processing and collection of information. It states your responsibility to maintain documentation of all information processing and letting the data subject know everything related to collecting information.

Security Safeguards

The seventh principle refers to your responsibility of keeping the information secure and notifying the regulator and the data subject in the event of loss or unauthorized access of data.

Data Subject Participation

The eighth principle extends the data subject with the right to access their information, information about any third parties that have had access to their information, and for the correction and deletion of their information.

What are the exceptions under POPIA?

Although all the above principles must be followed for achieving compliance under POPIA, in some cases a regulator can by notice in the Gazette, grant an exemption to a responsible party to process personal information, even if that processing is in breach of a condition. The circumstances for granting such exceptions are,

  1. In matters of public interest including national security, prevention, detection, and prosecution of offenses, important economic and financial interests, historical, statistical, or research activity, freedom of expression
  2. When the processing involves a clear benefit to the data subject that outweighs the interference with the privacy of the data subject. 

What’s personal information under POPIA?

Personal information means any information relating to an identifiable, living, person or juristic persons (companies/organizations) including, but not limited to —

  • Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, color, sexual orientation, age, disability, religion etc.
  • Information relating to the education, medical, financial, criminal or employment history, and biometric information
  • Identifiers like e-mail address, physical address, telephone number, location data, online identifier IP addresses, cookies, unique IDs, search and browser history

What are the penalties for not being POPIA compliant?

The following are the consequences for not being compliant:

  • Administrative penalties
    • Fines up to R10 million and/or 10 years in jail per incident.
  • Enforcement notices
    • Stop processing personal information.
  • Civil Action
    • May be bought on by data subjects for “distress” pay out millions in damages to a civil claim action.
    • Suffer reputational damage.
  • General concerns
    • Loss of reputation and subsequent loss of customers and possible failure of the organization/business.

POPIA mentions consent as a legal basis for processing personal information and includes provisions on how consent must be obtained and can be withdrawn. POPIA defines consent as “voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.”

  • Consent must be given voluntarily
  • Consent should be taken for a specific purpose and shouldn’t be vague or ambiguous
  • Properly notify the data subject regarding what they are consenting to, how their data will be processed, etc.
  • Informed consent

How to Comply your WordPress Site with POPIA?

As cookies are considered as online identifiers in POPIA, they fall under the scope of personal information. This means your website needs to have an adequate cookie consent mechanism in place.

If you are looking for the right tool to help your WordPress site in complying with POPIA, the CookieYes GDPR Cookie Consent and Compliance Notice plugin is one of the best options. Its free version is enough to help you comply.

You can generate a compliant cookie banner for your website, so you get prior user consent. You can fully customize the content, layout, colors, behavior, and display cookie banners in different languages.