FAQ - IO Privacy

DON'T WORRY ABOUT POPIA

THAT'S OUR JOB

Making POPIA and PAIA compliance admin effortless, for solo professionals and SMMEs.

faqs - what is privacy compliance?

What are POPIA and PAIA?

POPIA is the Protection of Personal Information Act. It’s the law that says how we can and can’t handle personal information in South Africa.

PAIA is the Promotion of Access to Information Act. It’s the law that says when and how organisations have to share any information they have.

What must I do for POPIA?

POPIA says that if you want to handle personal information in South Africa, you have to meet certain conditions: Accountability, Limitation, Specification, Further Limitation, Quality, Openness, Security, and Participation.

These conditions are flexible, and how you meet them depends on your context. A bank might need to encrypt its data; a coffee shop might not. You might be meeting most of them already.

The conditions can get very complicated, but the most important of them are Accountability and Participation. These show that you take data protection seriously, and are open to listening and improving where necessary.

And the easiest way to meet these is by registering your Information Officer, and having an open line of communication between you, the Regulator and your data subjects.

How do I do any of that?

You don’t. We do.

You just give us a few details, and we’ll handle the rest.

Do I need to comply with POPIA and PAIA?

Yes. Everyone needs to comply with POPIA and PAIA.

You can read the official text of POPIA and PAIA online.

What must I do for PAIA?

PAIA is a bit more rigid, and gives you more specific tasks to do.

The most important of these are to get a PAIA manual, upload it to the Regulator, and report on the requests you received each year.

This tells people what records you have and how they can access them, and shows the Regulator that you’re being responsible.

Why should I care?

Because POPIA applies to you whenever (and however) you handle personal information, outside of the home.

Because personal information is extremely valuable to businesses and criminals alike, and should be kept safe.

Because if you don’t, the Information Regulator could fine you up to R10,000,000 or 10 years in jail.

FAQS - HOW DOES IO PRIVACY WORK?

What do you do, exactly?

1. We register your business and information officer on the Information Regulator’s portal.

2. We set up a unique mailbox for your business on our platform.

3. We draft a PAIA manual for you with our details, and upload it to the Regulator’s portal.

4. We monitor your unique mailbox for POPIA or PAIA queries or access requests, and guide you on how to reply.

5. We submit your annual report to the Regulator, detailing the requests received.

Why can't I register on my own?

You can. And if you don’t sign up with us, you should!

But we’ve found that it tends to involve a lot of technical detail for small businesses to wrap their heads around, and many just end up not doing anything at all – which isn’t safe for anyone.

Do you reply to requests for me?

Not at the Professional tier, no.

For us to reply on your behalf, we’d need to know exactly how and why you process the information in question. This would require a much deeper and more costly relationship.

How do you "guide me on how to reply” to requests?

You don’t need to honour every request that someone sends you.

We’ll handle the time-consuming and technical admin, like making sure that every request follows the right processes to make it a lawful request.

We’ll also let you know how you should respond to a lawful request, so that you don’t get into trouble by doing too little (or too much).

Why do you put your details in my PAIA manual?

Your PAIA manual tells people how to contact you.

By listing our details, we’ll get the queries and manage them without you having to worry about them.

If there’s anything that requires your input, we’ll contact you, and help you handle it without the hassle.

Why do you upload my PAIA manual to the Information Regulator’s portal?

Uploading your PAIA manual makes it publicly available, so people can find it there and get in touch – even if you don’t have a website.

What if I need other privacy help?

We’re happy to consult with you as an add-on, and we have a range of partner companies that offer every other privacy solution you could require.

faqs - Which option is right for you?

The right option depends on the size of your organisation, and whether the personal information you collect is “high touch” or “low touch”.

High touch means that your data subjects have strong reasons to question how you use their personal information.

Low touch means that your data subjects have little reason to question how you use their personal information.

I’m an SMME or professional with low touch personal information

This includes: tradesmen, restaurants, franchisees, psychologists, corporate consultants.

Your best option is likely the Professional tier.

I’m an SMME or professional with high touch personal information

This includes: schools, medical doctors, car dealerships.

Your best option is likely the Corporate tier.

I’m a large organisation with low touch personal information

This includes: hotels, franchisors, business-to-business goods or services suppliers.

Your best option is likely the Corporate tier (but could be Professional).

I’m a large organisation with high touch personal information

This includes: direct marketers, credit providers, insurance companies.

Your best option is an internal information officer and privacy team.