South Africa promulgated the Protection of Personal Information Act (POPIA) on the 1st July 2020. This has been a long time coming since the legislation was passed by parliament in 2013.
The South African version of the supervisory authority called the Information Regulator was only appointed on the 1st December 2016, and has spent nearly 5 years preparing for the rollout.
The current President Cyril Ramphosa of South Africa promulgated the law and organisations have a grace period until the 30th June 2021 to become compliant.
The office of the Information Regulator has established itself and will manage the transition to a fully fledged and enforced legislation.
Why do we have privacy legislation in South Africa and increasingly globally? There are a number of reasons. First, it has become very apparent that personal information is being abused by many different kinds of organisations.
Some key concepts in most legislations are:
But let’s be very realistic, it is also all about TRADE, and ensuring trade between countries.
The drafters of the POPIA looked at the current laws from the EU, Canada, New Zealand and the Netherlands amongst others. They realised that South Africa must have laws in place for personal data privacy to be able to take part in the 4th industrial revolution.
Francis Cronje LLM, CIPP, CIPT, contributor to the Act and a well known Information Governance Specialist noted that:
“Although POPIA is largely based on the EU Data Protection Directive of 1995, the POPI Technical Working Committee in Parliament, where he served, also considered aspects of the 2012 GDPR draft before POPIA was enacted in 2013.”
He further states “POPIA reflects a majority of the privacy principles underscored by GDPR. POPIA stems from the constitutional right to privacy, but its enactment and eventual commencement, will remove a whole array of data barriers, hopefully allowing SA to fully become part of the 4th industrial revolution or so-called digital revolution“.
Adequate data protection laws are therefore an imperative set of tools should countries want to participate globally. POPIA should facilitate SA’s participation.
The purpose of POPIA is to protect people from the harm caused to them by their personal information being abused.
The identified role players are three different parties that are affected:
The responsible party must process information in accordance with the POPIA regulation. All organisations processing personal information in South Africa have to be compliant.
Like with GDPR, our opinion is that initially enforcement and penalties will be more to help guide organisations , but subsequently will be highly enforced and of higher values. Obviously where massive breaches arise and it is obvious that legislation has been ignored, appropriate action will be taken.
The legislation allows for the following penalties:
An area to take particular note of is the relationship between a responsible party and an operator. An operator processing information on behalf of a responsible party should have a breach or a negligent approach to data privacy, the responsible party is liable. Therefore, the responsible party must ensure all compliance measures are in place and a full due diligence has been undertaken at the operator.
We do see POPIA compliance being pushed onto medium and smaller organisations from larger organisations that want to ensure the compliance of their supply chains to reduce their risks of breaches and litigation. This is already evident in South Africa where banks, health care groups, insurance companies that have been active with their compliance programs for a number of years, are starting to ask their supply chains and operators to prove compliance. This situation is a big driver for the market.
In addition, compliance really makes common sense. Why would organisations not want to use the regulation as a driver for improving their operations and protecting the information of individuals with whom they interact; their clients, suppliers and most importantly their employees.
Compliance and protection of data should be obvious for the following reasons:
Compliance is a collaborative and ongoing process within an organisation. It must involve all of an organisation to be truly successful ad become a part of the culture.
The head of an organisation is automatically the information officer and can appoint deputy information officers. The details of these people must be logged at the Information Regulator by the 3rd March 2021.
Any organisation needs to have the following in place:
South Africa has now conformed with new international norms for having laws in place to protect the information of people held by organisations. The country will continue to participate in the data driven global economy in the coming decades.
Having the POPIA laws in place is a great opportunity for South Africa to ensure that all organisations have appropriate risk management, oversight systems and technology in place and creates information management structures that enable the post COVID-19 rebuilding.