It is no secret to most South African business that the newly adopted Protection of Personal Information Act (hereinafter referred to as “the POPI Act” or the “Act”) will be coming into full swing on 01 July 2021. In terms of the Act, all South African businesses/organisations are required to comply with this Act or face possible and substantial consequences. [1]
We at SEESA CP & POPI often get questions from SME’s asking the following:
“We are a small business, surely POPI won’t have much of an effect on my business?”
From the outset, one must always determine whether the company is considered an SME (Small to Medium Enterprise) or a large corporation. The general rule of thumb is that if you have an organisation that has less than 50 employees then you would be considered a “small” business from a data protection perspective. Companies with more than 50 employees, would fall into the category of an SME or large corporate. [2] The problem is, however, that POPI can and will still have a high impact on any business (regardless of size) if such business poses a significant risk (in terms of the data it retains and uses in order to conduct business) to people (i.e. data subjects) – an example of such risk would be if an organisation (SME) that has a database of children under the age of 18 in South Africa.
It is for the aforementioned reason that an SME must always first take cognisance of the following in determining if they pose a high or low risk to their employees and 3rd parties such as clients and external vendors (i.e. data subjects):
- Does the SME actually process personal information, or is the processing of such information not part of their business model? (i.e. a hairdresser, is for e.g. an SME that is not considered to be data-driven).
- Does the organisation process any detailed personal information in terms of the Act? An example of such an SME would often be a small farm or agricultural holding that does not collect any information relating to one’s health/sex life, criminal background or any information pertaining to children.[3]
- Is there at all any likelihood that the processing of data by the SME will cause any damage in terms of their Constitutional right to privacy – if so, why is this the case and is the SME aware of the consequences.[4]
- Is the SME required to apply for prior authorisation from the Information Regulator? An example of such an SME would be a sole proprietor who acts as an attorney for his own account who processes information for the purposes of credit reporting.
In taking the aforementioned into consideration, it is our recommendation that all companies (SME’s or large Corporates) take proactive steps in becoming compliant with the Act before 01 July 2021. The purpose of the aforementioned is to point out that the Information Regulator does not seem to discriminate between SME’s and larger corporates. The Information Regulator will treat all SME’s the same way in which it will deal with those larger corporations regardless if said SME answers in the affirmative to the questions posed.
About The Author:
Beyers De Wet van der Watt started his career at SEESA in September 2020 and is currently a Consumer Protection & POPI Legal Advisor at SEESA’s Head Office in Pretoria. Beyers obtained his (LLB) 2017 and is an Admitted Advocate of the High Court and Pupil Member of the National Bar Council of South Africa (NBCSA) in Gauteng.
Resources:
- Botha, J., Eloff, M. and Swart, I., 2015. The Effects of the PoPI Act on Small and Medium Enterprises in South Africa. 1(1), p.1.
- Michalsons. 2021. Data protection for small business – Michalsons. [online] Available at: https://www.michalsons.com/focus-areas/privacy-and-data-protection/data-protection-for-small-business
- The Protection of Personal Information Act 4 of 2013.
[1] Botha, J., Eloff, M. and Swart, I., 2015. The Effects of the PoPI Act on Small and Medium Enterprises in South Africa. 1(1), p.1.
[2] Michalsons. 2021. Data protection for small business – Michalsons. [online] Available at: <https://www.michalsons.com/focus-areas/privacy-and-data-protection/data-protection-for-small-business> [Accessed 8 June 2021].
[3] Section 26 and 27 of the Protection of Personal Information Act 4 of 2013
[4] Section 109 (3) (e)of the Protection of Personal Information Act 4 of 2013