The buzzword on many lips these days, following the Presidency’s announcement on 22 June 2020, is the Protection of Personal Information Act (Act No. 4 of 2013) (“the Act”), which more commonly goes by the somewhat catchy acronym “POPIA”, or “POPI” as it is sometimes referred to.
The reason for the excitement is that South Africa’s long-awaited data and privacy protection law, which has been implemented incrementally since 2013 when the Act was first promulgated, has finally entered into effect on 1 July 2020. Certain sections of POPIA will only become effective on 30 June 2021, giving businesses and organizations a period of 12 months to comply with their obligations under the Act.
In this short question and answer session, we explore POPIA at a high level and set out some of its salient provisions. Over the next couple of weeks, we will publish a series of articles which seek to provide more extensive insight into several important topics relating to data privacy.
- WHAT IS POPIA?
- POPIA is South Africa’s data privacy protection law. It aims to promote the protection of personal information processed in and from South Africa, and gives actionable rights to the right to privacy enshrined in the Bill of Rights while balancing the right to privacy against other rights such as the right of access to information and the free flow of information. POPIA aligns South Africa with global data protection best practices, such as the General Data Protection Regulation (“GDPR”) and other similar laws.
- POPIA governs when and how businesses collect, use, store, delete and otherwise handle personal information in their possession.
- WHO DOES POPIA APPLY TO?
- POPIA applies to all public or private sector bodies processing (i.e. collecting, using or otherwise handling) personal information in South Africa, irrespective of whether they are local or offshore organizations. In other words, POPIA applies to all businesses, companies and individuals which process personal information in the Republic.
- This is incidentally one of the main differences between POPIA and the GDPR – POPIA regulates the processing of both private and corporate personal information, whereas the GDPR only regulates personal information belonging to individuals.
- WHAT SECTIONS OF POPIA HAVE NOW ENTERED INTO EFFECT?
- POPIA was first signed into law in 2013. Certain sections dealing with the appointment of the Information Regulator entered into effect in 2014 and very few of the provisions of the Act have been operational to date.
- The new developments are that the following sections have become effective on 1 July 2020:
- Sections 2 to 38, dealing with exclusions and the conditions for lawful processing of personal information;
- Sections 55 to 109, around the responsibilities of information officers, direct marketing and unsolicited electronic communications, codes of conduct and enforcement mechanisms (offences, penalties and administrative fines); and
- Sections 114(1), (2) and (3), providing specifically that all processing of personally identifiable information must comply with the Act by 1 July 2021.
- Two sections, Sections 110 and 114 (4), will commence on 30 June 2021, following the effective transfer of functions of the Promotion of Access to Information Act (Act No. 3 of 2000) (“PAIA”) from the South African Human Rights Commission to the Information Regulator.
- WHAT QUALIFIES AS “PERSONAL INFORMATION”?
- Personal information is any information that can be used to identify a living, natural person or (where applicable) an existing juristic person (such as a company or other organization).
- Examples of personal information include names, identity numbers, contact particulars, medical, financial or employment information.
- HOW WILL MY BUSINESS BE AFFECTED BY THIS?
- If you have not yet started implementing data protection measures in your organization or are only partially compliant, you have 12 months from 1 July 2020 to become compliant. Failure to do so could carry a R 10m price tag, as the Act imposes hefty penalties, fines and other adverse consequences for non-compliance.
- It is now an optimal time to review your data protection measures and policies, including an analysis of where you get your personal information from, how you handle it, and what you do with it. We suggest that if you have not yet started becoming compliant, you should do so as soon as possible as it can be a considerable effort for most organizations to become fully compliant.
- HOW DO I BECOME COMPLIANT?
- The appointment of an Information Officer (who will assume responsibility for your organisation’s compliance with POPIA and PAIA) is a further mandatory requirement.
- HOW IS POPIA ENFORCED?
- POPIA is regulated by the Information Regulator, currently headed by Adv Pansy Tlakula.
- In this age of digital change and innovation, protecting your and others’ data is critical. We offer you a full spectrum of data protection privacy services to assist you in determining your organization’s compliance with POPIA. We have advised on compliance and risk management across this area’s cutting-edge issues and are able to assist with the performance of due diligence, assessing the risk in your organizational context and becoming compliant with the required regulatory framework.
For any assistance with your business and its POPIA compliance, please feel free to contact one of our experienced attorneys.
Luïse von Dürckheim-Botes
BProc; LLB; LLM (Criminal Law) (Cum Laude); LLM (Corporate Law)
Corporate and Commercial Law
Phone: 012 361 9823