Must small businesses comply with POPIA?
Compliance with the Protection of Personal Information Act, 2013 (“POPIA”) is not dependent on turnover or number of employees. Small businesses are subject to and must comply fully with POPIA.
Small business owners are concerned about the cost of compliance during this tough economic climate. Advertisements are also selling fear, imprisonment and hefty price tags to convince you to implement their expensive blockchain technology. Yet, nobody is talking about privacy, which may be trickier for small businesses. Let us explain…
How do small businesses approach the POPI Act?
The starting point is to distinguish between the PROTECTION of personal information and your PRIVACY obligations under POPIA.
Protection
The protection of personal information requires small businesses to consider their organizational and IT risks with reference to the nature of their business, number of employees, the type of personal data handled, etc. POPIA requires you to understand these risks and apply security measures that are appropriate to them. These are not only IT risks and extend to paper files as well as relationships with employees and service providers. Put simply, a small business is probably not expected to implement an IT infrastructure equivalent to that of a bank, unless their personal data risks indicate otherwise.
The compliance standard applicable to the protection of personal information is thus one of appropriateness or reasonableness and measured according to your specific business risks. These general protection measures should be recorded in a POPI policy illustrating (among many other things) an understanding of your personal data risks, how you are mitigating those risks within your small business as well as responsive plan to those risks should they materialize.
Privacy
Often overlooked, privacy is a key component under POPIA as well as our Constitutional right to privacy. The privacy obligations under POPIA are absolute. This means that you must strictly comply with these obligations regardless of the size of your business or risks.
In oversimplified terms, small businesses must ensure there are lawful grounds for collecting personal information and that they have proof of consent where required. Consent is now also a thorough exercise and involves prior notification of (among many other things) what information is being collected, how it is being used and the purpose for doing so. However, consent is not always required as there are other lawful grounds for collecting personal information. Other privacy requirements concern the accuracy, integrity, sharing, use and retention of personal information.
Compliance with your privacy obligations is perhaps less simple and requires an understanding of how your small business handles personal information. Again, privacy measures should also be recorded in your policies and procedures with a record demonstrating your awareness of how you handle personal information.
This is the new normal
Hefty fines and possible imprisonment aside, protecting personal information and promoting privacy rights is the new way to do business. The recent uproar over Whatsapp’s privacy policy is but one example of how these measures are a critical component to the goodwill and reputation of any business.
We invite you to join our cause of growing small businesses sustainably by promoting, protecting and respecting personal information.
Our Solutions
We have developed a comprehensive yet simple toolkit with Policies & Procedures to help small businesses achieve compliance with their protection and privacy obligations under POPIA.
What you will gain from this toolkit:
- How to quickly achieve a basic level of compliance.
- Empowering your CEO/information officer with direction, knowledge and tools.
- An understanding of how your organisation handles personal data and what data is considered high risk.
- What measures you need to implement & How you can implement them.
- A plan to respond to a data breach.
- Protecting and understanding your POPIA stakeholders.
For more information email us: info@brooksandcompany.co.za.