How to Safeguard Your Digital Presence: A Simple Checklist for Website Compliance

By | Business, Information Technology Law / Cyberlaw

“It’s important to remember your competitor is only one mouse click away” (Doug Warner)

Your website, social media profiles, and other online platforms play a vital role in your business strategy and in staying ahead of your competition at all times.

However, it’s not just about marketing effectively. Ensuring compliance with regulations is equally crucial, although often overlooked.

Why is Compliance Important?

Compliance ensures that your business:

  • Meets all legal requirements.
  • Reduces risks associated with user engagement.
  • Enhances your brand’s image.
  • Builds trust and loyalty with users.
  • Safeguards your reputation.
  • Prevents unnecessary costs.
A Checklist for Website Compliance

Website compliance involves adhering to various laws, regulations, and standards governing online operations and content. Here’s what it entails:

  • Legal Compliance: Your website must follow local, national, and international laws, covering online business, intellectual property, and consumer protection requirements.
  • Accessibility Compliance: Websites should be accessible to people with disabilities, as mandated by some countries’ laws.
  • Cookie Compliance: Inform users about cookies and obtain their consent before placing them on their devices, as required by many countries.
  • Privacy Compliance: Comply with privacy regulations when collecting user data, such as POPIA in South Africa and (where applicable) GDPR in the EU.
  • Security Compliance: Implement security measures like encryption and secure logins to protect user data and prevent unauthorized access.
  • Content Compliance: Ensure content doesn’t violate copyright or trademark laws.
  • Financial Compliance: Adhere to regulations for online payments and financial transactions if your website conducts such activities.
  • Advertising Compliance: Ensure ads meet advertising standards and regulations to avoid deception or violation of laws.
  • Terms of Service/Supply and Policies: Make legal documents clear, transparent, and legally sound for users to agree to.
  • Industry-Specific Compliance: Some industries have specific regulations, like healthcare websites complying with health information privacy laws.
Integrate compliance into step 1 of your website’s development

Integrate compliance into the very earliest developmental stage of your website, focusing not only on content but also design and process. This ensures that your online presence remains compliant from the outset, reducing the risk of non-compliance issues down the line.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews

New Year, New Business – How to Pick the Right Legal Entity for It

By | Business, Tax

 “Owning one’s own business is an adventure – enjoy it every step of the way.” (From the SME Toolkit article referenced below)

First, three questions to ask yourself…

If you dream of going into business for your own account in 2023, ask yourself these questions before you get started –

  1. Am I an entrepreneur? You have an amazing idea, you can’t wait to launch your new business, success and wealth beckon! But wait a second – are you really suited for the hurly-burly of entrepreneurship? It can be hugely rewarding, not just in the financial sense but also in terms of lifestyle and life satisfaction. But it also carries far more risk than the classic “9 to 5 employee” option, so think long and hard before choosing. There are many online quizzes to help you decide – try for example DeLuxe’s “Quiz: Are you ready to start your own business?” here.
  2. What’s my plan? Without a plan you sail rudderless through some very treacherous and shark-infested waters. Start-up failure rates are high, but luckily there is plenty of advice available to help you plan your course. Read for example the Business Partners “Ten Simple Rules For a Successful Start-up” on SME Toolkit.
  3. What legal entity should I use to trade? Don’t make the rookie mistake of setting sail in just any old boat. Starting off in the wrong entity and then having to change mid-stream will mean a lot of unnecessary expense, hassle and risk. Rather plan long term – ask yourself where you want your business to be in 5 or 10 years, how big it will be, what your exit plan will be and so on.

    We set out below some brief thoughts on the various alternatives available to you, but upfront professional advice, specific to your particular needs and circumstances, is a real no-brainer here.

    So, what are your choices?
…and four business vehicles to choose from

You have four main options –

  1. sole proprietorship (“sole trader”).  You are the business, trading for your own personal profit and loss, perhaps under a trading name such as “Syd Smith trading as ‘Syds Plumbing’”.
  2. partnership of 2 to 20 individuals or entities, pooling resources to carry on a trade, business or profession for a share of the profits.
  3. private company (“Pty Ltd”) with any number of shareholders. Controlled and administered by directors.
  4. A trust (number of trustees and beneficiaries not restricted). There are various types of trust, with trustees controlling and managing trust assets and/or trading for the benefit of beneficiaries.

Note that you might be advised to combine one or more of these entities in a corporate structure, and that there are other specialised types of entity available to, for example, non-profit organisations (charities etc), professionals (lawyers, accountants, doctors etc) and the like.

The pros and the cons of each

Have a look at the illustrative table below for a summary of the advantages and disadvantages of each of these options.

Don’t forget the tax and estate planning implications!

Each of your choices carries with it a mixed bag of positives and negatives when it comes to both tax and estate planning implications. For an overview, have a look at SARS’ “Starting a business and tax” webpage, with a link to its “Tax Guide for Small Businesses” PDF.

That Guide is 102 pages long, and unless you are comfortable with the complexities involved, professional advice specific to your circumstances is again essential.

In a nutshell –

  • Estate planning: You may be advised to use companies and trusts for tax-efficient and practical transfer of wealth to future generations, as well as for asset protection from creditors both before and after you die. Both companies and trusts are “perpetual” in the sense that they survive changes in directors/trustees (resignation, removal, retirement, insolvency, death etc), with potential multi-generational savings in estate duty and avoidance of the cost and delays inherent in deceased estate administration.
  • Tax efficiency: Sole traders and partners are taxed at individual rates; trusts other than special trusts at a flat rate of 45%; companies at a flat rate of 27% (27% for years of assessment ending on 31 March 2023 and later, previously 28%) with 20% dividends tax when you take profits out. There are a host of other factors to take into account here, including aspects such as Capital Gains Tax inclusion rates, exclusions, exemptions, small business breaks and the “trust conduit principle” all being highly relevant to the ultimate question – will you be better off being taxed as an individual or will some form of corporate and/or trust structure be more tax efficient for you?

Take that professional advice!

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews

Website of the Month: Four Key Areas in Your Strategic Planning

By | Business, Website of the Month
“Strategy is the art of carefully selecting where a business applies its focus and resources in order to achieve its ultimate aim. A large part of the work is in selecting what not to do rather than what’s to be added.”
Strategic planning is an essential part of optimising your business for success. Without it you will drift rudderless, unfocused and wasting effort and resources with no clear destination in mind. Jon Cherry’s article “The Four Strategies” on his Cherryflava website lists four key areas to consider – in combination, they will help drive your business forward, inspiring all the work, and the people, that hold your “North Star” vision close. Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews

Directors at War: Terminating Email Access

By | Business, Company / Corporate / Compliance
“All is fair in love and war…and business is war.” (Jasmine Kundra)
When company directors are locked in dispute, one of them may be tempted to cut off the other’s access to emails and to the business server – a tactic likely to have immediate and serious consequences for the director thus cut off. Its appeal as a tactic to force the other director to the negotiating table is obvious, but the question is whether the director thus deprived has any legal remedy available to force immediate restoration of access. A recent Supreme Court of Appeal matter saw a director in that exact position trying to get his access back urgently with a “spoliation order” application.
“Cut off his email and server access”
When the two directors fell out, one (let’s call him ‘A’) applied for liquidation of the company on the grounds of deadlock. Director B opposed this application, and, alleging that A had resigned his directorship, instructed the web hosting entity hosting the company’s server and email addresses to cut off A’s ‘email and company network/server access’ with immediate effect. A, denying hotly that he had resigned, immediately applied to court for a “spoliation order” restoring his email and server access to him.
Spoliation – a quick and effective way to get back possession, but only if…
  • The spoliation process is designed to stop disputing parties from taking the law into their own hands and provides a quick and effective way of regaining possession of something if you have been wrongfully deprived of it. It’s a quick and effective remedy because “[T]he injustice of the possession of the person despoiled is irrelevant as he is entitled to a spoliation order even if he is a thief or a robber. The fundamental principle of the remedy is that no one is allowed to take the law into his own hands”. In other words, you can get an immediate spoliation order without having to prove your right to possession of the thing – all you have to prove is the wrongful dispossession.
  • So that would have been an ideal outcome for A, giving him immediate restoration of his access to his emails rather than having to fight his way slowly through a full trial proving his rights to email and server access. But it was not to be. His problem was that, in order get a spoliation order, one of the first things you must prove is that you were in “peaceful and undisturbed possession” of something.
  • Now A would have been able to prove such possession if he had for example been wrongfully deprived of use of a company car or even of an “incorporeal” right to use property (such as “quasi-possession” of a right of access under a servitude). But he was unable to convince the Court that his email/server access fell into any such category.
  • As the Court put it: “Thus only rights to use property, or incidents of occupation, will warrant a spoliation order.” A’s prior use of the email address and server was not an “incident of possession of movable or immovable property”, it is purely “a personal right enforceable, if at all, against [the company].”
  • In a nutshell, A must now prove his legal right to email and server access – perhaps he will be advised to apply for an ordinary interdict, perhaps he will sue for damages and/or re-instatement, but whichever course he chooses he will need to accept the inevitable delays. In other words, if B’s tactic was to put immediate and substantial pressure on A in the short term it worked – at least for now.
Don’t however take any action like this without professional advice – it could come back to bite you badly if it misfires. Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews

Another mystery investor emerges to rescue Africrypt investors at 65c in the rand

By | Business, Criminal Law / Crime, Information Technology Law / Cyberlaw, Insolvency / Liquidation

Barely a week after a mystery ‘white knight’ offered creditors $4 million (R64 million) to bail out investors in the failed Africrypt scheme, another mystery investor has appeared with a better offer of $5 million (R80 million), equivalent to 65 cents in the rand.

The first offer made in November was also for $5 million, though only $4 million of that would go to creditors, with the remaining $1 million (R16.13 million) going to the running of the company.


This latest offer of $5 million is a simpler offer, with a timeline of seven days for acceptance, after which the ‘white knight’ will purchase and take cession of the claims.

Africrypt collapsed in April after its accounts were supposedly hacked and emptied of all funds. But it turns out this was not the first hack to have plagued the founders of Africrypt – brothers Raees and Ameer Cajee – and their investors.

As Moneyweb reported, a previous investment scheme of theirs was supposedly hacked in May 2019, causing more than a few Africrypt investors to suspect foul play. Two hacks in less than three years seemed a stretch too far for some investors, who suspect the Cajees are now using proxies to make an offer of compromise with the hope of avoiding jail time.

Read: Lightning strikes twice for Africrypt’s Cajee brothers

The latest offer of 65 cents in the rand is on investors’ deposited amount, not the current value of the ‘hacked’ bitcoin or Ethereum.

Investors who deposited into Africrypt in September 2019 would have paid about R120 000 for their bitcoin – which is today worth about R800 000.

This offer effectively means investors will be paid out less than R80 000 per bitcoin, for an asset that is worth 10 times that today.

Africrypt was run by the Johannesburg-based Cajee brothers, who solicited funds from investors by promising returns as high as 10% a day using a computerised trading algorithm.

These promises were even more outrageous than MTI’s claims of 0.5-1.5% returns a day.

MTI was placed in provisional liquidation a year after failing to pay out members’ requests for withdrawals. MTI also claimed to have a computerised trading algorithm, though no evidence of this was found by the Financial Sector Conduct Authority (FSCA) when it looked into it.


Similarly, there is no evidence the Cajees were trading the cryptos entrusted to their care.

The Cajees disappeared around the time of the alleged hack, and are believed to be in the Middle East.

The first offer to buy out the claims of Africrypt investors made in November came with a catch: anyone accepting the offer would have to withdraw criminal charges against the Cajee brothers and their affiliated entities.

This condition was likely unlawful, and is referred to as ‘compounding’ in law, which is agreeing not to prosecute a crime in return for a reward.

The second rescue offer presented to investors last Friday (December 3) carries no obligation to withdraw criminal charges.

The first offer specified that the Cajees would be employed by Africrypt, which would be resuscitated as a trading entity so that investors could potentially earn back their full investment.

Investors hoped this would provide them with an opportunity to interrogate the Cajees as to the circumstances surrounding the alleged hack, and whether it was a genuine hack or an inside job. The Cajees have maintained the hack was genuine, and denied any involvement in what some believe was a heist, according to the BBC.

The identities of both the first and second ‘saviour’ investors remain unknown, though Ruann Kruger, legal representative for the Africrypt liquidators, says the second investor is a company.

“I am prevented from disclosing the identity of the company at this stage due to a non-disclosure agreement,” he tells Moneyweb.

“We have no idea of the identity of the first investor,” he adds.

Kruger says so far 35 out of 181 investors have signalled their intention to accept the offer.

Says a representative for some investors: “There are of course suspicions that this offer is coming via a proxy for the Cajees, and that we are being paid out with [our] own money. Either way, this is a clever tactic by whoever the investor is. It’s a divide [and] rule tactic.

“What I see happening here is the smaller investors are going to accept the offer, then the larger investors will be dealt with piecemeal. It’s a clever strategy, but a high risk one, because I believe some of the investors will not accept this offer, and will hold out for a better offer.”

Attorney Gerhard Botha, who is representing some of the investors, says any offer of 65 cents in the rand in any liquidation situation is not a bad deal.

“You must remember that up to now, there’s been no offer on the table. There’s also no proof that there was a hack, and there’s no proof that the money was actually invested [by the Cajees]. There is a strong possibility that this is a great deal for the Cajees, both legally and financially, but at the end of the day investors will make a decision based on purely commercial considerations,” he adds,

In a letter to Africrypt investors sent out on Friday, the joint provisional liquidators say they had not received any further communication or feedback from the first “third party investor” on the amended terms of the compromise offer – which attempted to indemnify the Cajees against criminal prosecution.

This raises suspicions among investors that the Cajees were behind the offer, which they decided to drop when it was pointed out that they could not buy their way out of potential jail time.

The letter from the provisional liquidators says the second offer of compromise is “a good, firm and less complicated offer that is open for acceptance for the next seven days”.

Those who accept the offer will receive 65 cents in the rand for any proven claim within five days of signature.

Africrypt investors are reckoned to have deposited about R120 million, though the value of their stolen cryptos today is worth many times this amount.

Article by:  for

PAIA Manuals and the 31 December 2021 Deadline: Crying Wolf Again, or Real This Time?

By | Business

“A man who procrastinates in his choosing will inevitably have his choice made for him by circumstance.” (Hunter S. Thompson)    

Since 2005 businesses have been repeatedly told “get your PAIA (Promotion of Access to Information Act) manual sorted now, the deadline is approaching”. And every 5 years since then, those (mostly smaller) businesses temporarily exempted from lodging manuals have been given yet another extension – usually at the very last minute.

“Crying Wolf” again?

With government “Crying Wolf” so often, small business owners can certainly be forgiven for treating this whole process with a great deal of scepticism. Perhaps though this deadline is one to take seriously, particularly since the related POPIA (Protection of Personal Information Act) is now fully in place and new PAIA Regulations have been promulgated to tie in with POPIA.

What businesses are currently exempt?

PAIA itself requires all public and private bodies to prepare, lodge and publish (including on any website you have) a PAIA information manual.  Every business operation, no matter how small, falls into that net – the definition of “private body” includes any person or partnership who carries on or has carried on “any trade, business or profession”, together with any “former or existing juristic person” and political parties.

In other words, all businesses of all types and sizes must have a PAIA manual once the current exemption comes to an end.

You are probably currently exempt if you are a smaller business, specifically a “private body”, including any private company.

But the exemption does not apply to any non-private company, nor to any private company in any of the business sectors listed below with either –

  • 50 or more employees, or
  • An annual turnover of or above specific thresholds – see the table below for details.
Do your Manual now anyway!

Even if the deadline is once again extended, you will almost certainly still have to comply somewhere down the line, and at least by getting this done now you have got rid of one annoying little red tape item from your Action List. Procrastinating, as Hunter S Thompson pointed out, just means having the choice made for you down the line.

Prepare your PAIA manual now; if you already have one, update it regularly.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews

Cajee brothers to appear virtually at Africrypt inquiry

By | Articles, Business, Information Technology Law / Cyberlaw, News

Africrypt directors Ameer and Raees Cajee, who shut their crypto investment platform in April over an alleged hack, leaving investors millions of rands out of pocket, are to appear next month before an inquiry ordered by the company’s court-appointed liquidators.

The brothers went into hiding earlier this year after announcing the hack, saying they feared for their lives after receiving several death threats.

The liquidators’ legal representative, Ruann Kruger, told ITWeb yesterday that the Cajee brothers have agreed to testify on 19 and 20 October through a virtual session.

They were initially subpoenaed to appear before the inquiry last week, but this was postponed after their attorneys asked for an extension in order to consult further with their clients and stating at the time that their safety was still in question.

While a responding affidavit to oppose final liquidation of Africrypt, which was signed by Raees Cajee, contains the stamp of the South African embassy in Dar es Salaam, Tanzania, dated 19 July, no one knows – or will say – where the two brothers currently are.

Kruger said the first part of the inquiry, held last Thursday and Friday in Pretoria, heard testimony from Daniel Opperman, Africrypt’s former compliance officer.

Opperman, who was testifying over a virtual platform, told how a few days after the hack took place and two days before the two brothers announced in a statement that the company had been hacked, he met with the Cajees, but the brothers made no mention to him that the alleged hack had taken place.

“[Opperman] said he was very surprised to read about [the hack] in the media,” said Kruger. He added that Opperman will return to testify further at next month’s hearing. Contacted by ITWeb, to confirm the details of his testimony, Opperman declined to comment.

Kruger said the inquiry also heard testimony from Wayne Naidoo and Steve Miller, a director and manager, respectively, of public relations (PR) company Duke Advertising, which signed a 14-month contract worth R3 million with Africrypt.

The contract was to run until the end of December 2021; however, just three months into the contract, the PR company was paid the full amount. Kruger said the fact that the PR company was paid in full before the completion of the contract raised a red flag.

Raees Cajee contends in Africrypt’s affidavit opposing final liquidation that the application was taken out against the wrong company and that clients signed investment contracts not with Africrypt but with an entity called Rae Create Wealth.

However, Kruger said bank statements obtained by Tayfin Forensic Investigative Auditors, the forensic investigators appointed by the liquidators, revealed that all transactions made to Africrypt were moved to Raee Create Wealth. He said this and other evidence is expected to appear in the forensic report on Africrypt.

Contacted yesterday, Africrypt’s attorney Rashaad Moosa of Shaheed Dollie Incorporated Attorneys declined to comment, saying the inquiry is a private inquiry and that as such, he couldn’t comment without getting the permission of the commissioner. However, he said he would be questioning witnesses further in next month’s session.

Earlier this month, a group of investors’ bid to get the court to place Africrypt in final liquidation was postponed to 15 November.

It follows a provisional liquidation order brought by the group, under the name Badaspex, which was granted in April by the Gauteng South High Court against Africrypt.

Article by : Stephen Tim |

Your Website of the Month: Start a New Business Fast and Lean

By | Business, Website of the Month

The COVID-19 pandemic has closed many doors, but it has also levelled many playing fields and opened up a slew of new business opportunities. If you are one of the many budding entrepreneurs out there looking to start up your own business (perhaps by choice, perhaps after a business closure), you may wonder where and how to go about it.

Bizly’s “Start a business: How to get going fast, the lean start-up way” here shares some ideas for “action planning using rapid, feedback loops to get the business off the ground quickly and with minimal risk.”  Answer 6 preliminary questions, complete a one-page business plan, and prepare for launch!

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews

Your Website of the Month: How to Plan and Hold Virtual Board Meetings

By | Business, Website of the Month

Virtual meetings are here to stay. Make the most of them with “Optimising the virtual boardroom: A guide to planning and executing virtual board meetings” from Nasdaq Governance Solutions on Moneyweb.

Learn how to –

  • “Build a virtual board table” (“creating a virtual seating arrangement” and so on),
  • “Mitigate meeting day glitches” (we’ve all wasted time on fiascos!), and 
  • “Keep it confidential” (paramount).

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews

11 POPIA Questions to Ask Yourself Before 30 June 2021

By | Business, Information Technology Law / Cyberlaw, Property

Note: This is a complex topic and there is no substitute for tailored professional advice. What is set out below is of necessity no more than a simplified summary of some practical highlights.

You and your business are at substantial risk if you aren’t fully compliant with POPIA (the Protection of Personal Information Act) on 1 July 2021.

The clock is ticking! Have a look at the Information Regulator’s Countdown Clock here to see exactly how many days (and hours, minutes, and seconds!) you have left.

Be ready! Be compliant! Ask yourself these eleven questions –

  1. Does POPIA really apply to us?
    As soon as you in any way “process” (collect, use, manage, store, share, destroy and the like) any personal information relating to a “data subject” (suppliers, customers, members, employees and so on – whether individuals or “juristic persons” such as corporates and the like), you are a “responsible party”.The formal definition of a responsible party is “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information” – very few businesses and organisations will fall outside that net. Equally you are unlikely to fall under exemptions such as that applying to information processed “in the course of a purely personal or household activity”.But don’t panic –. compliance is easily attainable for most businesses, particularly if you are a smaller operation with little in the way of sensitive personal information. Answer the questions below to get a feel for areas you need to concentrate on now.
  2. What risks do we run if we don’t comply with POPIA?
    If a data subject suffers any loss as a result of your breach of POPIA, the subject (or the Regulator at the request of the subject) can sue you for damages and you will be liable even if your breach was unintentional and not negligent. You also face criminal prosecution, penalties and administrative fines for some breaches.
  3. Have we registered our Information Officer/s?
    You must register your Information Officer (“IO”) with the Information Regulator – go to the Regulator’s Online Portal for the online and PDF versions of the registration form, plus the email address for support enquiries and a link to the Search page. The IO is responsible (and liable) for all compliance duties, working with the Regulator, establishing procedures, and the like. You are automatically your business’ IO if you are its “Head” i.e., a sole trader, any partner in a partnership, or (in respect of a “juristic person” such as a company) the CEO, MD or “equivalent officer”. You can “duly authorise” another person in the business (management level or above) to act as IO and you can designate one or more employees (again management level or above) as “Deputy Information Officers”.
  4. Do we have a list of all personal information we hold, and how and why we hold it?
    Make a full list of all the personal information you hold/process, whether physically or in electronic form. Then evaluate it against the test that, to collect and “process” personal information lawfully, you need to be able to show that you are acting safely, lawfully, and reasonably in a manner that doesn’t infringe the data subject’s privacy.You must show that “given the purpose for which it is processed, it is adequate, relevant and not excessive”. Data can only be collected for a specific purpose related to your business activities and can only be retained so long as you legitimately need to (or are allowed to) keep it for that purpose.
  5. What security measures do we have in place?
    You must “secure the integrity and confidentiality of personal information in [your] possession or under [your] control by taking appropriate, reasonable technical and organisational measures to prevent … loss of, damage to or unauthorised destruction of personal information … and unlawful access to or processing of personal information.”You are at great risk of liability and penalties if you suffer any form of data breach from a risk that is “reasonably foreseeable” unless you can prove that you took steps to “establish and maintain appropriate safeguards” against those risks. If you haven’t already done so, brainstorm with your team all possible internal and external vulnerabilities (physical as well as electronic) and address them.
  6. Do third parties hold/process personal information for us?
    If third parties (“operators”), hold or process any personal information for you, they must act with your authority, treat the information as confidential, and have in place all the above security measures. Further restrictions apply if the third party is outside South Africa.
  7. Do we know what to do if we suffer a breach?
    Any actual or suspected breaches (called “security compromises” in POPIA) must be reported “as soon as reasonably possible” to both the Information Regulator and the data subject/s involved.
  8. Do we do any “direct marketing” and if so do we comply with all requirements?
    Most businesses don’t think of themselves as doing any “direct marketing”, but the definition is wide and includes “any approach” to a data subject “for the direct or indirect purpose of … promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject…”. So for example, emailing or WhatsApping your customers about a new product or a special offer will put you into that net.If your approach is by means of “any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail”, you must observe strict limits. Whilst you can as a general proposition market existing customers/clients in respect of “similar products or services” (there are limits and recipients must be able to “opt-out” at any stage), potential new customers can only be marketed with their consent, i.e., on an “opt-in” basis. They can be approached only once for that consent so keep a record of everyone you have asked.
  9. Does our website use cookies and if so do we have a cookie notice and policy in place?
    As countries around the world ramp up their privacy laws, we will all see many more examples of “cookie notices” on websites we visit. You may wonder how your own website should be configured, and the short answer is that if it uses cookies (almost all do), POPIA very likely applies despite the fact that there is no specific mention of cookies in the current legislation. Bottom line – to be on the safe side, have a cookie notice and policy in place. Keep yours simple and user-friendly.
  10. Do we have a privacy policy and a POPIA manual in place?
    POPIA – unlike PAIA (the Promotion of Access to Information Act) – doesn’t require you to have a POPIA manual in place but in larger businesses it is certainly a good idea to prepare one.However you should certainly have a privacy policy in place. Make sure that everyone in your organisation is aware of it and of how critical it is to comply with it at all times.
  11. Is our staff team ready?
    Check that everyone in your business understands your compliance plan and their own individual roles and responsibilities in it. Make sure that nothing falls through the cracks – assign specific tasks to specific staff members.
Bodies Corporate and Homeowners Associations – how POPIA affects you

Bodies Corporate and Homeowners Associations (HOAs) fall into the POPIA compliance net and should be asking themselves the questions above.

In assessing what personal information you hold, how and why you hold it, and who you are sharing it with, remember to include not only scheme owners and HOA members but also your auditors, attorneys, managing agents, the CSOS (Community Schemes Ombud Service), security service providers and the like.

If you have gate security in the form of visitor registers, scanning of licence plates and driver’s licences and so on, be ready to address questions around having lawful reason for collection and retention of all the personal information you are gathering in this manner.

Disclaimer: The information provided herein should not be used or relied on as professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your professional adviser for specific and detailed advice.

© LawDotNews