Adv. Pansy Tlakula, chairperson of the Information Regulator, has requested President Cyril Ramaphosa to announce 1 April 2020 as the commencement date for Protection of Personal Information Act, 2013 (“POPI Act” or the “Act”).
Although certain limited sections of the POPI Act have already commenced, the majority of the Act, specifically the sections setting out the conditions for the lawful processing of personal information and enforcement thereof, is yet to commence.
Should President Ramaphosa act on Advocate Tlakula’s request, all businesses, whether private, public and/or state owned, shall have a one year grace period to ensure that any and all processing of personal information is done in compliance with the Act and therefore requires all companies to comply with its provisions by March 2021.
Don’t wait until it is too late! Be the leader of the #POPIpack
It is not a question of if the POPI Act will come into effect but rather when. Public or private bodies who do not comply with the provisions of the Act will stand the risk of incurring significant penalties, fines or even imprisonment as its commencement will grant certain powers and authorities to the Information Regulator to determine and issue appropriate fines and penalties to non-compliant organisations.
The transition for achieving complete compliance with the POPI Act is not accomplished overnight. Compliance is a habit that must be cultivated from within the organisation. This mandatory exercise takes time and requires ongoing development, monitoring and assessment.
In our experience, the time for acceptance, decision-making, implementation and eventually compliance with the provisions of the POPI Act could take between 6 and 24 months. Each business must be assessed on its own circumstances and factors and the means of implementation required in order to become fully compliant.
In addition to the powers granted to the Information Regulator, the Act will also require both public and private bodies to comply with the 8 lawful conditions of processing of personal information:
- Accountability. The responsible party, such as the owner of a business, takes full responsibility for how employees process personal information.
- Processing limitation. This condition prescribes how personal information may be lawfully obtained and processed.
- Purpose specifications. People must give informed consent to process information for a very specific purpose.
- Further processing limitation. There are restrictions on distributing information to anyone else or to use it for any other purpose.
- Information quality. POPI places an obligation on a business to ensure that the information remains correct and up to date.
- Openness. The responsible party must inform all affected parties if their personal information was compromised, like Facebook did.
- Security safeguards. Physical and digital security measures to protect personal information.
- Data subject participation. Respecting the right of people to have access to their own information and challenge it.
These conditions require organisations to implement at least the following best practices:
- The appointment of an information officer. Every organisation must appoint an information officer who will be responsible for the processing of any and all personal information in the organisation. In the absence of such appointment, this will automatically be the head of the organisation.
- An internal audit/ personal information impact assessment to determine the extent of adequate measures and standards put in place to ensure compliance.
- Mandatory disclosures to data subjects of the use of their personal information, including any and all other 3rd parties with whom their personal information is shared by your organisation.
- The development, implementation, monitoring and maintenance of a POPI Act compliance framework to cultivate good compliance habits in your organisation.
- The development, monitoring and maintenance of a manual as prescribed in terms of the Promotion of Access to Information Act, 2000.
- The development of internal measures and implementation of adequate systems to effectively process requests for access to information.
- The continuous creation of internal awareness and encouraging a culture of compliance through training sessions and workshops.
Need help? We are here to support you
Your personal Commercial Law advisors at VDT Attorneys are ready, willing and able to navigate the complexities of the POPI Act on your behalf to ensure not only compliance, but also sound corporate governance practices, in respect of data and information security. Our legal services will enable you, the business owner, to focus on your core business whilst we take the hassle out of compliance.
Together with our tech and training partners we have developed state of the art solutions that will help your organisation to be compliant with the provisions of the POPI Act. For more information on the products, services and solutions we offer please visit www.popipack.co.za.