Most people have heard of the Protection of Personal Information Act (PoPI), which was signed in to South African law in late 2013. 

The focus, for many, has been the security implications of ensuring that personal data is not accessed without authorisation. PoPI, however,  goes much further than simply defining how personal data may be captured and used. The Act governs the end to end life cycle of personal data within any company, irrespective of the size.

The Act provides for fines of up to R10 million, or jail terms of up to ten years, for non-compliance.

What is Personal Information?

PoPI defines personal information as any data that may identify a natural, legal or juristic person, or distinguish that person from another. This includes aspects as diverse as religion, medical history, bio-metrics, online screen names, or even opinions of, or about, a third party.

PoPI applies to the data of any legal entity – from a natural person, to a company, trust or non-profit institution. As such PoPI extends beyond customer data, and governs the use of other party's data, such as data related to customers, employees, suppliers and partners.

Broadly speaking, PoPI controls how personal information is used within an organisation, from data capture to destruction. 

Some of the requirements for PoPI include:

• Only collecting and keeping information you need for a specific purpose

• Limiting access to personal data

• Ensuring the quality of personal information

• Allowing the subject of the data to see it upon request

Data Governance – identify and enroll key stakeholders to define, document, communicate and enforce acceptable use polices for personal information within your organisation.

• Condition 1 Accountability
• Condition 2: Processing limitation
  • Data collection policies
• Condition 3 & 4: Valid Purpose
• Condition 3: Retention policies
• Condition 5: Data quality standards and rules
• Condition 7: Security policies
  • Breach management process
  • Data sharing agreements

Data Quality – ensure that personal data used within your company is of an acceptable level of quality and measure compliance to data governance policies.

• Condition 5: Data quality standards and rules

Master Data Management – ensure that you can provide an accurate indication of what data you are holding about each subject, irrespective of the channel they use to communicate with you.

• Condition 5: Data Quality standards and rules
• Condition 6: Data subject notifications
• Condition 8: Subject access

Metadata Management - understand where sensitive data is stored, and how it moves through the organisation

• Process register
• Personal data inventory
• Data quality metrics

Data Security – identify and control where personal data is held,  who has access to it and whether this access is appropriate.