On the 1st of July 2020 all but two of the remaining sections of the Protection of Personal Information Act, 4 of 2013 (‘’POPIA’’) come into effect.
The 1st of July 2020 is an extremely important date in the history of POPIA which was first enacted in 2013. From the above date all entities, both private and public, have twelve months within which to ensure compliance with the Act. The twelve-month grace period expires on 1 July 2021.
POPIA is an extensive piece of privacy legislation aimed at protecting against the unlawful collection, retention, dissemination and use of personal information. The intention of POPIA is to ensure that South Africa’s constitutionally enshrined right to privacy is safe guarded. Penalties for non-compliance are severe, with administrative fines of up to R 10 million, imprisonment, penalties, civil damages and most importantly, reputational harm.
POPIA has a wide scope and most private and public bodies will have to comply. Where these entities are not based within the borders of South Africa, but processes personal information within South Africa, they will be subjected to provisions of POPIA. This includes sole traders, partnerships, trusts, small and medium-sized enterprises (SMEs), large corporations, government entities, foreign companies, and anything else in between.
The definition of “personal information” is similarly expansive, and includes a person’s identity number, email address, phone number, marital status, biometrics, employment history, banking information, health-related information, data related to their economic status, personal views and private correspondence – even online identifiers such as IP addresses and cookies are deemed personally identifiable information. POPIA goes a step further than most data protection legislation, in that it includes juristic persons under the definition of data subjects.
South African businesses are recommended to start preparing for compliance early on, as the changes within the business of this magnitude and the integration of the principles of data protection into business processes will take time.
- The role of the information officer is most crucial. For a private company, the CEO will be the information officer, or a person duly authorised by the CEO for that purpose. The POPIA regulations extend the information officer’s duties and impose certain mandatory responsibilities.
- The next step is to secure the necessary buy-in from the organisation and to assign responsibility for ensuring POPIA compliance. Thereafter, each business unit/department may start with personal information audits to determine the personal information processed by the business, how it is collected, processed, stored, and destroyed and whether the necessary consent has been obtained.
- This level of visibility, early on, will put organisations in a much better position to perform proper gap analysis and prioritise those areas most at risk. Existing policies can be updated and, where necessary, new policies created and implemented to address the actual compliance gaps identified during gap analysis. These may well include updates to employment or supplier contracts, supplier on-boarding processes, marketing policies, consent wording, record retention policies, subject access request policies, and data protection policies.
- Organisations will also be required to develop, monitor, and maintain a manual as prescribed in sections 14 and 51 of the Promotion of Access to Information Act, 2 of 2000 (“PAIA”) (which must be made available to any person upon request). In addition, organisations will be required to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent: (a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information.
- The information officer is to ensure that the compliance framework is implemented, monitored, and maintained throughout the organisation. The final step to compliance would be to ensure the proper socialisation and implementation of systems, policies and procedures through training, internal awareness sessions, annual re-training, and compliance audits.
Author: Lyalle Windvogel