Less than 100 days before SA's strict new privacy rules. Here's how it will affect you

South African businesses must comply with the new rules of the Protection of Personal Information Act (POPIA) by the start of July – or face jail time and fines.
The new rules should mean much less spam and robocalls because companies will need your permission to contact you.
All businesses, big and small, will need to put things in place to comply, including a privacy policy.
For more stories, go to Business Insider’s home page.

There are less than 100 days to go before business owners must comply with South Africa’s strict new data privacy law. Failure to do so could mean jail time or large fines.

The Protection of Personal Information Act (POPIA) of 2013 came into effect last year, but companies had one year – until 1 July 2021 – to comply.

“Failure to comply with certain provisions of POPIA may result in the Information Regulator (IR) imposing an administrative penalty of up to R10 million as of 1 July 2021 or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment,” the regulator said this week. The IR is a newly established office, created by the Act.

“South Africans will now have the right to privacy afforded to them by the constitution,” says Ahmore Burger-Smidt of Werksmans Attorneys. “We now need to deal far more diligently with the information we collect. Companies can only collect what is necessary and have a legitimate reason to collect that information.”

“It’s like when the Consumer Protection Act (CPA) came into force,” says Francis Cronje, an information governance specialist and contributor to the POPI Act. “Before that, people understood they had certain rights, but it didn’t really affect their life. Now if I buy something and it’s not right, I have certain recourse under the CPA.”

The basic intention of POPIA, he says is “not to impede the free flow of information. It means that if you collect my personal information, you don’t lose it, and you treat it with respect”.

“Say I buy a watch and the shop asks for my name and surname,” says Cronje. “Now they’re not allowed to share that information with anyone else, or send me marketing without my consent. They can’t share it with people I’m not aware of, or that I haven’t authorised.”

POPIA means the end of spam and robocalls – under certain circumstances.

Come 1 July 2021, you’ll receive fewer spam voice messages on your phone (known as robocalls), and fewer spam SMSes. It doesn’t mean they’re going away, says Elizabeth de Stadler, co-founder of Novation Consulting and co-author of “A Guide to the Protection of Personal Information Act”.

“But it will be much harder to do, and you will have more control over when you get them.”

You won’t receive unsolicited robocalls and spam texts – and that “unsolicited” is a crucial distinction. Companies need to ask your permission to send you marketing material. If you’ve given that permission, they can contact you until you ask them to stop.

The buying and selling of information will be much, much harder. Companies have built up huge databases of contact details, including your phone number and email address, and these get bought and sold on the open market.

That’s not allowed anymore – a company is not allowed to pass on your details to another party. And if they do, you can lay a complaint with the Information Regulator, which has substantial powers.

“In countries with similar data privacy laws, a lot of these companies have gone bust,” says De Stadler. “If I were a data broker, I’d be very scared right now.”