iStock

The outstanding parts of the Protection of Personal Information Act (POPI) are expected to be adopted soon.



This will mean that companies who unlawfully share your personal information with third parties could face stiff fines or even jail-time.

Draft regulations for the direct marketing industry would require written consent from consumers to allow unsolicited calls and messages, unless you are an existing customer of the company conducting the marketing.

For more stories, go to Business Insider's home page.

Companies who unlawfully share your personal information with third parties could face stiff fines or even jail-time soon, when the outstanding parts of the Protection of Personal Information Act (POPI) will be adopted.

Law firm Webber Wentzel reports that Pansy Tlakula, chairperson of the Information Regulator of South Africa, indicated in a television interview last week, that president Cyril Ramaphosa has been requested to adopt the remaining provisions of the act on 1 April 2020. The new laws should be effective by early next year.

Sections of the act are already effective, specifically the creation of the Information Regulator. But the most important requirements in POPI are now set to become law should the president respond positively to the request.

There will now be much stricter rules about how companies can collect, use, process, store, share and destroy the personal information of people in South Africa.

The new POPI legislation prescribes eight conditions for lawful processing that companies must comply with when processing personal information, says Webber Wentzel partner Peter Grealy.

The law demands that companies have policies in place about how information is collected from clients, how it is saved and protected, with whom it is shared and when it will be destroyed. There are also restrictions applicable to the transfer of personal information out of South Africa.

The new law also has much stricter requirements about how companies may obtain your consent for the processing of your personal information.

For example, when you download an app, a pre-ticked consent box won’t be allowed, says Webber Wentzel senior associate Karl Blom. The general principle, Blom said, is that your consent must be voluntary, specific and informed. The person processing your information must state the purpose for which your personal information will be used.

Direct marketing

Currently, separate draft regulations for the direct marketing industry would require written consent from consumers to allow unsolicited calls and messages, unless you are an existing customer of the company conducting the marketing. There are expected to be strict rules about how consumers can opt in to receive direct marketing.

Large companies who do business across borders already have to comply with international data protection regulations, specifically the European Union’s General Data Protection Regulation (GDPR), which has been in place for some time.

But Grealy says that Popi is – in some respects – slightly stricter than the GDPR, and all local companies will have to ensure that their systems comply with the new act, and that their staff are trained to understand the requirements of POPI.

A big difference between South Africa’s data protection rules and those in the rest of the world is that the personal information of juristic persons (such as companies or trusts) is also specifically protected.

For example, the GDPR only extends to the personal information of natural persons, but in South Africa, a person would be required to treat the personal information of companies according to the same rules that are applicable to the personal information of natural persons. For example, they would have to delete the personal information of a corporate client after a prescribed period of time.

Receive a daily update on your cellphone with all our latest news: click here.

Also from Business Insider South Africa: