The Protection of Personal Information Act, Act No 4 of 2013(“POPIA” or “the Act”) was signed into law in 2013, but most of the operational provisions of the Protection of Personal Information Act, No. 4 of 2013 (POPIA) only became effective recently, on 1 July 2020. Every business and all public institutions will be affected, as this development impacts every public and private body in South Africa.
Compliance with POPIA will be mandatory for most organisations in South Africa. The Act applies to any person or organisation who keeps records relating to the personal information of anyone, unless those records are subject to other legislation, which protects such information more stringently.
Cognisance should be taken of the implications of the coming into effect of the POPIA Act and what it means for business owners.
Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) of POPIA commenced on 1 July 2020. Sections 110 and 114(4) shall, however, commence on 30 June 2021. The sections which will commence on 1 July 2020 (Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3)) are essential parts of the Act and comprise sections which pertain to, amongst others, the conditions for the lawful processing of personal information; the regulation of the processing of special personal information; Codes of Conduct issued by the Information Regulator; procedures for dealing with complaints; provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the Act, AND is applicable with immediate effect as from 1 July 2020.
This forms the main part of the Act, and although Section 114 (1) (see below) gives a year, in principle, the time to act is now, and all organisations need to become compliant as soon as possible.
Sections 110 and 114(4) shall commence on 30 June 2021. Section 114(1) is of particular importance as it states that all forms of processing of personal information must, within one year after the commencement of the section, be compliant with the Act. This means that entities (both in the form of private and public bodies) will have to ensure compliance with the Act by 30 June 2021.
Private and public bodies should endeavour to be compliant with POPIA as soon as possible in order to give effect to the rights of individuals, and to give effect to the protection of private information, as this is the main objective of the Act.
POPIA regulates all organisations who process personal information, this includes but is not limited to information about employees, customers, suppliers and those who outsource key processing activities, share data offshore, or engage in direct marketing.
Do not be fooled into thinking that you have ample time to be become compliant with POPI.
Preparing your business to become fully compliant, will take time!
POPIA requires that every business (private and/or public body) appoints an Information Officer. The duties and responsibilities of the Information Officer, as well as the designation of responsibilities to deputy information officers, are detailed in Sections 55 and 56 of POPIA. The Information Officer will primarily be tasked with the responsibility to encourage compliance with the conditions for the lawful processing of personal information. He or she will deal with any requests made to or by the Information Regulator. He or she will be tasked with implementing the compliance framework, taking adequate measures and standards to ensure POPIA compliance. He or she will also be responsible for conducting preliminary assessments to determine the need and requirements, and develop the required notices and policies required (by both POPIA and PAIA), and have it inspected and lodged with the Information Regulator. The information officer also has to implement measures and systems to process requests for or access to personal information and provide POPIA awareness training in his or her business.
The Information Officer has to be registered as such, by his or her business (or employer), with the Information Regulator, after which he or she will be allowed to act as and perform the duties of an Information Officer.
The Information Regulator is at present finalising the guidelines for the registration of Information Officers. It is expected that these guidelines will be available soon, and will in effect move business into action by them being required to appoint and register their Information Officers, by no later than March of 2021.
Now, having regard to the responsibilities of the Information Officers, and the amount of work which will have to be conducted in preparation of compliance with POPIA, there is not much time between March and end of June. All effected by POPIA and required to be compliant should take immediate action to familiarise themselves with the requirements of the Act and to take the necessary steps, to implement the Act or request assistance with compliance preparations.
Information is readily available in the media as well as on the web page of the Information Regulator and we urge you to keep updated and to take action sooner rather than later.
For any further information on POPIA you can contact Lorraine Oosthuysen at email@example.com.
The Protection of Personal Information Act, Act No 4 of 2013
The Information Regulator – https://www.justice.gov.za/inforeg/docs.html#itc