South Africa’s Protection of Personal Information Act (Popia) will finally come into force on 1 July 2020.
The Act has been put into operation incrementally, with a number of sections having been implemented in April 2014.
The legislation aims to promote the protection of personal information processed by public and private bodies and seeks to balance the right to privacy against other rights, such as access to information.
According to law firm Webber Wentzel, virtually all of the remaining provisions of the Protection of Personal Information Act are finally set to commence on 1 July. The exception is two provisions, sections 110 and 114(4), which will only commence on 30 June 2021.
These two sections deal with the amendment of laws and the transition of certain powers from the South African Human Rights Commission to the Information Regulator, respectively.
Webber Wentzel said that operational provisions which will commence on 1 July 2020 (with the 12 month transition period mentioned above) are:
- The eight conditions of lawful processing;
- The appointment and obligations of the information officer;
- Rights of individuals regarding direct marketing by means of unsolicited electronic communications and automated decision making;
- Provisions regarding the transfer of personal information outside of South Africa;
- Enforcement provisions; and
- Offences, penalties and administrative fines.
Law firm DLA Piper noted that the delayed full commencement of the POPIA since April 2014 meant that the data protection compliance projects across many businesses began to lose steam.
“We have, however, seen many global organisations embark on data protection compliance projects as a result of their compliance obligations under the EU’s General Data Protection Regulation,” it said.
“Therefore, many of these organisations have initiated and implemented measures that take into consideration the local nuances applicable under POPIA.
“Understandably many of these institutions did not allocate resources to conducting POPIA compliance projects, as compliance was seen as a nice to have.
“Now that POPIA will come into force on 1 July 2020, both public and private bodies are obliged to use the one year grace period to get their houses in order to avoid the imposition of sanctions and/or reputational harm due to being non-compliant.”
DLA Piper said that the key areas that most organisations target in respect of compliance are:
- Implementation of technical and organisational measures to protect and prevent unauthorised access and acquisition of personal information;
- Reconsidering and/or putting in place measures for identified transborder flows of personal information – seeking prior authorisation of the Information Regulator where necessary and implementing data transfer agreements;
- Developing a culture of privacy through training of staff, updating and implementing policies and procedures and rolling out awareness campaigns;
- Reviewing and updating all customer, client, supplier and third-party agreements;
- Preparation of consent documents and privacy notices;
- Implementation of a data breach/incident response plan and policy;
- Implementation of a system for the management of data subject access rights in terms of POPIA and PAIA.
Is one year a realistic expectation in light of Covid-19?
DLA Piper said that institutions have been aware of the existence of POPIA for quite some time and have received warning from the Information Regulator to take steps to comply with POPIA in the interim.
However, in light of the unprecedented times that we find ourselves in, the implementation of any projects may be overly burdensome on institutions and it may in certain instances not be realistic to expect institutions to reach a 100% level of compliance by 1 July 2021
It noted that there are two points of comfort for such entities:
- The grace period may be extended by the Information Regulator, this could be due to lack of operational readiness by 30 June 2021; and
- Most of the offences for non-compliance do not result in immediate sanction, rather a process is followed to issue a compliance order and then enforcement notice for such organisation to comply with.
“Therefore, organisations should prioritise during the grace period compliance with those provisions of POPIA for which a fine may be imposed for a first offence, for example, failing to comply with the prior authorisation requirements under POPIA,” it said.
Commentary by DLA Piper South Africa’s Director Monique Jefferson and Associate Savanna Stephens
Additional commentary by Peter Grealy, Nozipho Mngomezulu, Karl Blom, Wendy Tembedza, Avuyile Gasela, Cindy Leibowitz, Dario Milo, Pooja Dela of Webber Wentzel.