How a POPIA exemption can help your nonprofit
How can nonprofits protect their beneficiaries’ data and comply with POPIA’s strict requirements without harming operations? This article explains POPIA’s exemption provisions and the criteria nonprofits must satisfy to gain exemption approval.
What is POPIA?
POPIA is South Africa’s data privacy law that gives individuals rights over their personal information and places obligations on organisations to properly manage and secure that personal information. It establishes standards for lawful data processing and provides oversight by the Information Regulator.
Why nonprofits should consider POPIA exemptions
Nonprofits all need to find a balance between achieving data privacy and achieving their important operational goals. Most people know, at this point, that POPIA and other data protection laws are at the heart of that data privacy. Compliance with a law like POPIA is often complex, time-consuming, and expensive. These challenges can mean that no matter how much you want to comply to protect your beneficiaries, you are unable to do so to the extent required. A POPIA exemption can be just the relief that your embattled nonprofit needs. There are important requirements that you need to be aware of, though. POPIA requires that you meet these requirements before you can receive an exemption from the regulator.
What you may want to be exempt from
With all the data processing that most nonprofits typically do on a daily basis, there are commercial and legal risks that inherently arise. These risks usually arise because a law like POPIA has certain obligations that a nonprofit struggles to comply with due to the nature of the work the nonprofit does, or limitations related to budgets, resources, and capacity. Think of the following examples of POPIA obligations that your nonprofit may struggle with:
- Being unable to collect information directly from a data subject (such as beneficiary) because it is cheaper and less time-consuming to get the information from another nonprofit you work with;
- Difficulties in limiting the processing to just a few identifiers – you may not want to limit the amount of information you collect because you intend to help the data subject in various ways over time;
- Not always knowing or being able to limit the period of time you need to keep the information over. When a data subject asks you to delete their information (the right to be forgotten), you may be unable to fulfil that right;
- Only being able to afford basic security measures for the information, and wishing to ask the regulator to exempt you from putting more complex and expensive measures in place; and
- Being concerned that it takes a while for you to conclude contracts that impose data protection obligations on your service providers and partners, and want the regulator to excuse the delay.
How to get a POPIA exemption
The regulator would require your nonprofit to show that the processing that you want an exemption for is:
- in the public interest, meaning that it impacts a significant group of people (members of the public), not just a small group; and
- significantly and clearly beneficial to data subjects, even though the processing is not compliant with POPIA. Here, you would have to argue and demonstrate that the work your nonprofit does is aimed at improving the lives of your beneficiaries, and that any harm they may suffer due to your data processing is far outweighed by the benefits of your work.
Formatting and submitting your application
You would have to do your application electronically using the form designated by the regulator. Here are the common steps you would have to take:
- Get your Information Officer involved to help you. Also consider contacting Sicelo Kula for expert assistance with the application;
- Read the guidance note that the regulator issued;
- Download and prepare the Exemption Application Form;
- Attach a cover letter or supporting documents to help bolster your application; and
- Submit everything via email to this email address: POPIACompliance@inforegulator.org.za. To be safe, also consider sending the application to the email address that was published in the guidance note (exemptions.IR@justice.gov.za), but is not on the exemptions page on the regulator’s website.
What follows after you have submitted your exemption application?
The regulator will get back to you to acknowledge receipt of your exemption application. They will then assess your application and ask for any additional information or clarification. After that, they may either approve or reject your application. On approving your application, they would publish a notice in the Government Gazette.
Please note, though, that being granted a POPIA exemption does not mean that you stop having to comply with anything in POPIA. There is a good chance that while the regulator may approve your application, they may also attach certain conditions that you have to comply with in order for your exemption status to continue. They may give you a list of minimum actions that you have to take to protect the personal information that you process, and comply with POPIA.
How Michalsons can help your nonprofit
When the regulator approves your application, for example, but attaches extra conditions that your nonprofit must comply with, I provide expert assistance based on many years of working with nonprofits and understanding their legal issues. One example of how Michalsons is currently helping nonprofits is with the workshop entitled “Top 10 data protection and contractual issues for nonprofits,” which you should consider registering for and attending. Moving forward, we will be doing a number of these workshops for nonprofits and we do not want you to miss out.
All information & rights are accredited to https://hashtagnonprofit.org/, created & written by Hashtag Nonprofit, titled “How a POPIA exemption can help your nonprofit”. For more documents & toolkits by Hashtag Nonprofit, please visit https://hashtagnonprofit.org/insights.