No more hiding as POPI Act kicks off on 1 July

South African organisations now have one year to comply with the long-awaited Protection of Personal Information (POPI) Act (POPIA).

This after the Presidency yesterday announced the commencement of certain sections of the 2013 data privacy law.

The Act, which gives effect to section 14 of the Constitution, provides that everyone has the right to privacy.

Since 2013, the Act has been put into operation incrementally, with a number of sections of the Act having been implemented in April 2014.

The sections that will commence on 1 July 2020 are:

  • Sections 2-38 dealing with exclusions and the conditions for lawful processing of personal information;
  • Sections 55-109 dealing with the responsibilities of information officers, direct marketing (unsolicited electronic communications), relevant Codes of Conduct and enforcement mechanisms (offences, penalties and administrative fines); and
  • Section 114(1), (2) and (3) which deals with transitional arrangements.

The sections that will commence on 30 June 2021 are:

Sections 110 and 114(4), which deal with the amendment of laws and the transfer of functions from the South African Human Rights Commission to the Information Regulator regarding the Promotion of Access to Information Act (PAIA).

Responsible conduct

Francis Cronje, an information governance specialist and contributor to the POPI Act, comments: “What all of the above entails is that the Act as a whole will commence on the 1st of July 2020, apart from those sections that have already commenced, and those that will commence on the 30th of June 2021.”

The purpose of the law is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise personal information in any way.

Businesses that don't comply with the POPI Act, regardless of whether it’s intentional or accidental, can face severe penalties.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

Cronje explains that Section 114(1) states that all processing of personal information must within one year after the commencement of this section be made to conform to this Act.

“In essence, from the 1st of July 2020, organisations will have 12 months, or one year, to comply with the conditions for the lawful processing of personal information. No more delays, no more excuses, no more hiding,” he says.

Organisations, public and private, big and small, and anyone processing personal information, will have to align their processing activities to the Act, Cronje notes.

“Whether such processing involves personal information of your employees, prospective employees, part-time workers, contractors, clients, members, consumers, customers or third-parties or anybody else whose personal information you collect, use, share, retain, store, archive, delete or destroy – you, as a processing entity, will have to ensure that you, or anybody that processes personal information on your behalf, complies with the Act.”

Rights of data subjects

Pria Chetty, director at law firm EndCode, points out that up until 22 June 2020, limited sections in the POPI Act were in force.

She notes these were aimed at enabling the Information Regulator to set up operations and for regulations to be issued.

“The announcement from the Presidency confirms that the critical sections of POPIA will now take effect. These are substantive sections that create rights, duties, obligations, procedures and penalties.”

According to Chetty, the rights of data subjects to personal data protection safeguards finally have legal force, bringing South Africa closer to harmonisation with international and continental instruments on privacy and data protection.

“Of further significance, particularly in the context of digital innovation and advances in healthtech and edtech, is the regulation of the processing of special personal information – that will balance the need for access to information with the need to protect sensitive health and children's information.”

She says organisations will need to address with intent now the provisions regulating the responsibilities of information officers, sectoral Codes of Conduct and provisions regulating direct marketing.

“The regulator will be pleased to see the procedures for dealing with complaints, and other enforcement mechanisms taking effect,” says Chetty.

“Ultimately, it marks the entry of non-negotiable obligations and duties for organisations regarding information privacy practices.”

Chetty believes compliance with the substantive provisions of the POPI Act will be a significant effort for many South African organisations, some of which have been preparing for the law’s enactment for years.

“Taking account of the ways in which digital technologies have altered every element of our work and society at large, embedding information privacy practices at all levels of the organisation is what is needed,” she says.

Strict deadline

Livia Dyer, partner at Bowmans, says the Information Regulator was established to implement and enforce POPIA, and its powers include the ability to levy administrative fines (of up to R10 million).

“POPIA provides for a transitional period of one year,” she notes. “This means that both private businesses and organisations and public bodies that process personal information must, at this stage, ensure they comply with POPIA by 1 July 2021.”

According to Dyer, the transitional period can be extended by a further three years for specific classes of information and certain data controllers (referred to as “responsible parties” in the Act), but there is no guarantee that an extension will be given.

“A year may seem like long time, but business leaders need to initiate the compliance process as soon as possible because, in many cases, compliance will require the implementation of fundamental changes to their organisations,” says Louella Tindale, data protection specialist at Caveat Legal.

Meanwhile, Rohan Isaacs and Tatum Govender from Herbert Smith Freehills SA, say consumers will benefit from POPI’s requirements that their personal information must be protected and that it can only be collected or handled where there is a lawful justification for doing so.

“POPI gives consumers specific rights in respect of organisations handling their personal information and it gives consumers greater control over their personal information. Consumers are informed about what personal information is collected, by who and why so that consumers are able to make informed decisions,” they conclude.