On July 1, 2021, the Protection of Personal Information Act (POPIA) 4 of 2013 took effect. The Act was passed to safeguard individuals and organizations from the misuse and abuse of personal information in financial fraud and identity theft, for example. Companies are now required by law to preserve the privacy of the data and information they collect. Danie Hattingh, Past President of the Master Builders’ Association Western Cape (MBAWC) and Principal Officer of the Building Industry Bargaining Council’s Pension Fund, outlines how the POPI Act will impact the building industry.
Hattingh says, “The POPI Act will impact all businesses, regardless of their nature or size. Those in the construction industry, which is one of the leading employment providers and economic contributors, will need to ensure that they are compliant to avoid data breaches and reputational harm.”
“The first step employers can take to safeguard against liability in terms of POPIA is to ensure that their employees’ consent is obtained, and that the processing of their personal information is done for a specific purpose”, he says.
In addition to obtaining consent, Hattingh mentions that it is imperative for employees to know what their personal information will be used for. The Act further requires that organisations justify why they are holding personal information. This measure forces employers to assess what information it gathers, be it from employees, clients, service providers or other third parties, and helps determine whether the information gathered is indeed necessary. “Under the POPI Act, a business cannot keep a record of personal information once the reason or need for which it was collected no longer exists”, Hattingh explains.
In addition to the impact on their own employees, the Act will impact the construction industry in a number of other ways, including the following:
- Suppliers: Supplier companies will have to review the methods they use to conduct their direct marketing campaigns.
- External Communication: Communication shared with clients may require authorisation from the company’s target markets.
- Incident Management: Organisations will need to set up an incident management process to handle any data breaches in the sharing of personal information.
- Contract amendments: Existing contracts and obligations of service providers will need to be amended in accordance with the Act.
Businesses within the construction sector can ensure that they are POPIA compliant by:
- Appointing an Information Officer – this is mandatory for all companies in South Africa.
- Maintaining a catalogue of data protection threats.
- Regularly monitoring privacy business practices.
- Performing regular data protection threat assessments.
- Having an open-book policy with clients and advising them about the information the organisation is storing.
- Conducting awareness sessions with employees, clients, stakeholders and other third parties.
- Ensuring that personal data is always up to date.
Hattingh mentions that, although the Act might seem onerous, it comes with benefits as well, particularly for the construction sector. “Private employee records will now be stored more effectively and can be discarded once contracts come to an end. Clients will feel more comfortable knowing that their personal information is kept secure and not shared or sold to third parties. Another benefit of the Act is that it empowers companies by requiring that their internal processes and policies be reviewed often in order to comply,” says Hattingh.
Prior to the POPI Act coming into effect on 1st July 2021, Information Regulator Chair – Pansy Tlakula reported that technical glitches with the registration system were being experienced due to the increased volume of traffic on the site. However, the regulator assured that, as a result, no penalties would be applied for late registration. MBAWC encourages members to monitor the situation and to register when these issues have been rectified.
The MBAWC values and supports the POPI Act, and members can be assured that their information is securely stored. “We have appointed an Information Officer to oversee the implementation of POPIA in the organisation. When requested, we are also assisting our smaller member companies to reach POPIA compliance,” Hattingh concludes.