Small to medium-sized enterprises (SMEs) operating in South Africa have to navigate one of the world’s most complex regulatory environments. Business regulations in the country range from business registration to compliance with industry-specific regulations. Two regulations that all businesses – small and large – have to robustly comply with are POPIA and PAIA.
Enforced by the Information Regulator, these two laws work in tandem to balance privacy and transparency, important governance, risk and compliance (GRC) pillars of the digital world.
Founders looking to avoid receiving a call from the Information Regulatory Authority need to ensure they are complying with the two laws. If not, there is no better time to start than now, because although these are small businesses, transparency and privacy are important to all customers.
In this article, we look at the defining characteristics of POPIA and PAIA, how they work together and the consequences of non-compliance for SMEs.
What are POPIA and PAIA?
POPIA stands for the Protection of Personal Information Act, a South African law that enforces the constitutional right to privacy by regulating how public and private organisations handle personal data.
PAIA stands for the Promotion of Access to Information Act, which gives effect to the constitutional right of access to any information held by the State or private bodies to foster accountability and transparency. It mandates that individuals can request records to exercise or protect rights, requiring institutions to compile access manuals.
The Information Regulator enforces POPIA and PAIA by monitoring compliance, investigating complaints, and issuing enforcement notices that can lead to fines up to R10 million or 10 years imprisonment.
Key Differences Between POPIA and PAIA
Although they are usually mentioned together, these two regulations serve different purposes and place different responsibilities on businesses. Understanding their differences is important for SMEs wanting to avoid unnecessary legal risks.
1. Purpose of Each Act
PAIA: PAIA is aimed at promoting transparency. Its primary purpose is to provide any person – whether citizen, employee or external stakeholder – the right to access records held by public and private bodies if the information is required to exercise or protect a certain right.
POPIA: POPIA focuses on the protection of personal information and sets the rules that outline how organisations may collect, store, use, and share personal data. In short, it is focused on privacy.
2. Who Must Comply?
PAIA: Public bodies (government departments, municipalities, state-owned entities), and private bodies (companies, NGOs, sole proprietors). Basically, if you conduct business in South Africa and keep any records, you must comply.
POPIA: Any public or private organisation that processes personal information and operates in South Africa must comply with POPIA. This includes everything from large corporations to SMEs, online stores and consultants.
3. Compliance Requirements
PAIA: All private and public entities must prepare and maintain a PAIA manual. It must be accessible on your website (if the company has one) or at the office upon request and filed with the Information Regulator.
Additionally, the head of the organisation must be registered with the Information Regulator. In terms of reporting, all private and public must submit an annual report to the Regulator. If the deadline is missed, the Regulator may conduct its own PAIA compliance assessment on the entity in question.
POPIA: All organisations must follow POPIA’s eight conditions for lawful processing: to implement a POPIA compliance framework, an organisation must conduct a risk assessment, employee training, operator agreements with operators, appoint an Information Officer, develop a privacy policy and an incident response plan.
Overlap Between POPIA and PAIA
While the Acts have different objectives, they do intersect in various ways, such as:
- Both Acts require an Information Officer who will be responsible for compliance.
- Both pertain to access to information, although POPIA focuses on individual personal data and PAIA focuses on general records held by organisations.
- Both Acts require documentation, processes and training.
- Both place obligations on how data is stored and managed.
Basically, PAIA facilitates access to information (including personal information), while POPIA sets the requirements for protecting that personal information during the process.
Consequences of Non-Compliance
If you are not compliant with POPIA and PAIA, you risk exposing your business to significant legal, financial and reputational damage. The following are examples of non-compliance with the Acts.
1. Failure to Appoint an Information Officer
Any entity that fails to appoint an Information Officer is in breach of both POPIA and PAIA. Because the Information Officer is responsible for ensuring compliance, failure to appoint one is a direct violation and can lead to fines.
2. Incomplete or Outdated PAIA Manual
Every public and private body must have an up-to-date PAIA Manual. If your manual is missing, incomplete or outdate, you are in breach of PAIA and the Information Regulator may conduct an assessment on your business.
3. Failure to Submit Annual Report
If you do not submit your annual report, you violatng the Act. The Information Regulator’s system tracks submissions, and failure to comply is considered a red flag for enforcement action.
4. Lack of Security Measures and Record Keeping
Failing to implement adequate security safeguards to protect personal information means you are at risk of data breaches. If the Regulator finds that you lack these security measures, it can investigate and impose substantial penalties.
5. Ignoring Data Subject and Access Requests
Failing to address requests from individuals for access to, correction or removal of their personal information is a direct infringement of both POPIA and PAIA. Requests are a right that every individual has, and all organisations must adhere to them.
The following are consequences of failing to comply:
- The Information Regulator can impose fines of up to R10 million for serious breaches.
- Non-compliance can result in criminal charges, with the possibility of imprisonment for up to 10 years.
- Public enforcement actions and data breach notifications can severely damage your organisation’s reputation and erode customer trust.
- Regulatory investigations and enforcement actions can disrupt your operations, leading to loss of business and legal costs.
If you have not yet complied with POPIA and PAIA, you must do the following immediately:
- Appoint and register your Information Officer.
- Compile, update, and publish your PAIA manual.
- Submit your annual PAIA report.
- Implement robust security and data protection measures.
- Train your staff and ensure everyone understands their obligations.
