New amended draft regulations on POPIA have been published for comment, covering various steps that people can take in exercising their rights under POPIA and how businesses can request consent for direct marketing purposes.
By Peter Grealy, Karl Blom and Nozipho Mngomezulu from Webber Wentzel
On 15 October 2021, the Information Regulator published an invitation for public comments on the Amendment of the Regulations Relating to the Protection of Personal Information, 2018 (Draft Regulations).
The Draft Regulations set out the procedure to follow in certain circumstances contemplated in the Protection of Personal Information Act, 2013 (POPIA), including how:
* Data subjects may object to the processing of their personal information;
* Data subjects may request the correction, destruction, or deletion of their personal information;
* Responsible parties may request a person’s consent to process their personal information for unsolicited electronic direct marketing; and
* Data subjects may submit a complaint to the Information Regulator.
Objecting to the processing of personal information
The Draft Regulations have introduced flexibility on how people can object to their personal information being processed, allowing them to do so “in any manner that may be expedient”.
Organisations are required, under the Draft Regulations, to explicitly tell people about their right to object to the processing their personal information, in a manner that is distinct from other information communicated to those persons. This may require some businesses to revisit their privacy policies.
Requesting that personal information be corrected, destroyed, or deleted
The Draft Regulations provide that if a person requests an organisation to correct, destroy or delete their personal information, the organisation must notify that person of the action taken in 14 days. The Draft Regulations now include a definition that “days” are calendar days. Businesses would be required to ensure that they are able to properly consider and respond to these requests within 14 calendar days.
Requesting a person’s consent for direct marketing by unsolicited electronic communication
The Draft Regulations provide some latitude to organisations requesting a person’s consent to process their personal information for direct marketing through unsolicited electronic communication. The current POPIA regulations require that written consent be given in a prescribed form attached to the existing regulations. However, the Draft Regulations would permit an organisation to obtain consent using a form substantially similar to Form 4 or “in any manner that may be expedient”. This development would alleviate some of the administrative burden for businesses in ensuring compliance with this consent requirement.
Complaints to the Information Regulator
The Draft Regulations provide a clear procedure on how affected parties may submit complaints to the Information Regulator, with clarification on which parties may submit a complaint; the information which must be included in the complaint; where and how to submit a complaint (including how to submit a complaint on behalf of another person) and how to submit a complaint without revealing one’s identity.
Transitional provisions and codes of conduct
The Draft Regulations contain transitional provisions, in terms of which anything done under the current POPIA regulations is deemed to have been done under the Draft Regulations. That means organisations that have already applied to the Information Regulator for the issuing of a code of conduct, using the prescribed form attached to the current POPIA regulations, would not need to submit a fresh application to the Information Regulator on the amended prescribed form attached to the Draft Regulations.
The public is invited to submit their comments to the Information Regulator on or before 15 November 2021.