Organisations must ready for POPI Act’s full might

Organisations should expect to see an active Information Regulator and enforcement of the provisions of the Protection of Personal Information (POPI) Act (POPIA) after 1 July.

This is according to Leishen Pillay, associate directorwithin the risk advisory at Deloitte, speaking during the recent ITWeb Governance, Risk and Compliance 2021 virtual conference.

Pillay, however, pointed out that whether this will result in a number of fines, compliance notices or otherwise come 1 July, will be determined by a number of factors.

Organisations,public and private, big and small, and anyone processing personal information are preparing to comply with the conditions for the lawful processing of this data.

Since 2013, SA’s data protection law – the POPI Act – has been put into operation incrementally, with a number of sections of the Act having been implemented in April 2014.

On 1 July 2020, the Act as a whole came into effect. However, local companies were given a one-year grace period to comply with the law.

The purpose of the legislation is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information, by holding them accountable should they abuse or compromise personal information in any way.

Businesses that don't comply with the POPI Act, regardless of whether it’s intentional or accidental, can face severe penalties. The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

Although organisations across SA have different and varying levels of compliance, Pillay said he’s witnessed an accelerated need, want and focus to comply, which he described as “great”.

“As far as fines are concerned, it is a matter of enforcement; it is a matter of data subjects being active and organisations being active.”

Pillay reiterates that fines will be dependent on several factors, with the first being active data subjects. “Data subjects, in many instances, trigger investigations and trigger requests to the regulator to investigate.

“Based on what I can see in terms of our South African society, data subjects, customers, etc, they take this very seriously and I think there is going to be activity on that front.”

The second factor, he noted, are cyber breaches caused by the increase in cyber events.

“There is an escalating continuing increase of cyber events. What is that going to trigger? That's going to trigger investigations, fines, notices to comply, etc.

“These are two independent factors, independent of whether an organisation wants to be active.”

He added: “Because we have third-parties, we have GDPR applicability – where you have infrastructure based in the European economic area – that could also trigger requirement and reporting obligations.

“I think we are going to see an active regulator, and we are definitely going to see enforcement of the provisions of the Act.”

Turning to the country’s Information Regulator, Pillay said there’s no doubt about the active role the regulator is playing.

The Information Regulator is led by advocate Pansy Tlakula as chairperson, with the support of four other members – two members who serve in a full-time capacity and two members who may serve in a full-time or part-time capacity.

“Our regulator has been a leading light and beacon for data privacy ever since inception of her appointment in 2016.

“I think there can be no doubt with the kinds of cases that she's been cited in over the past years, the way she has engaged with large, small and medium corporates in the event of a breach of incident, and also taking on the global giants to determine what they are doing and the kind of processes they follow.

“We have a track record, we have the behaviour and the cadence and the approach from the regulator over the past several years. I think if that's anything to go by, there is no reason for me to believe or anyone else to believe that would change on the first of July.”

Pillay also lauded the regulator for being vocal in terms of data privacy and making sure the Act came into effect during the COVID-19 pandemic.

“I think it is the regulator's perception that data privacy risk, cyber risks are going to increase when you use these centralised methods of communications and physical limitations being imposed by COVID.”