According to Ahmore Burger-Smidt, Head of the Data Privacy Practice at Werksmans, dealers should ensure compliance with the Act sooner rather than later, since the act allows for significant penalties for companies found to be in breach of the law. These include fines up to R10 million and imprisonment.

Ahmore explains that the Act places a positive obligation on dealers to ensure that the comply with the Act when handling personal information. This becomes critical when one considers the volume of information from employees, clients and service providers that pass through a dealership on a regular basis.

The Act requires, among other things, that each business appoint a designated Information Officer, that all personal information is processed in a lawful manner and that the business receives consent (or has another legal ground) from both clients and personnel to handle their personal information.

It is important that companies provide training to all personnel who will handle personal information and put procedures in place to ensure that their processing of both personal information as well as ‘special personal information’ is lawful.

According to Ahmore, the current COVID-19 pandemic has placed the risks related to personal information under the POPI Act in sharp focus.

“Since the start of the lockdown, the number of cybercrimes has increased significantly. Criminals are using hacking, phishing attacks, malware, and ransomware to obtain personal information using COVID-19 as bait, further exposing companies who are storing this personal information.”

She points to the additional burden on companies to process their visitor logs – which constitute personal information under the POPI Act – in a legally responsible manner during lockdown. The visitor logs form part of the government’s contact tracing procedure, but the onus remains on the dealer to store these logs securely, use the information solely for contact tracing and reporting purposes and to de-identify the information in due course.