After a seven-year wait President Ramaphosa has announced that 01 July 2020 is D-Day for the commencement of the POPI Act.
By Ezra Pillay, compliance specialist at LexisNexis South Africa
Businesses will have a grace period of 12 months in which to ensure they are compliant with the various parameters of the Act. A forerunner of a new generation of legislation for South Africa, the Protection of Personal Information Act No. of 2013 was originally anticipated for April this year.
The South African Constitution provides that everyone has the right to privacy, which the POPI Act gives effect to, safeguarding personal information while balancing the right to privacy against other rights such as the right of access to information and the free flow of information. Entities that process personal information will need to do so in a lawful manner, ensuring the safety of the information they have access to, protecting individuals from data breaches and information theft.
While the POPI Act has been a long time in the making there was previously no information regulator in existence and infrastructure has had to be established from the ground up, with South Africa playing catch up to the rest of the world in terms of privacy laws. The Act was originally tabled 12 years ago, in 2009 and signed into law in 2013, yet very few of the provisions in the Act have been operational to date.
The Act has been implemented incrementally since April 2014, with the remaining provisions requiring readiness on the part of the Information Regulator, the members of which took office on 01 December 2016, to assume its powers, functions and duties in terms of the Act.
The provisions to commence 01 July 2020 include Section 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) include, amongst others, the conditions for the lawful processing of personal information, provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the Act and stipulating that within one year of the commencement of the Act, all entities will be required to comply.
Two sections, Section 110 and 114 (4) will commence on 30 June 2021, following the effective transfer of functions of the Promotion of Access to Information Act, 2000 from the South African Human Rights Commission to the Information Regulator.
Although the Act allows for a 12-month period for complete compliance, it stands to reason that both the private and public sector should attempt to comply as soon as possible to protect the rights of individuals.
The appointment of a dedicated POPI Act compliance officer or team, dependent on the function and size of the organisation, upskilling of this function and provision of access to tools that deconstruct the specifics of the Act should be prioritised.
These tools need to provide detailed and understandable commentary, practical checklists to follow for the implementation of the regulations in plain, understandable language to ensure compliance is achieved, and penalties avoided.