New regulations provide more clarity on POPIA
11 March 2019
 

“I’m the compliance officer for our business and have been tasked with responsibility for POPIA. I saw a media report on regulations being promulgated and was wondering if there is anything of importance that I need to take note of in them for our business?”

You are correct that new regulations (“Regulations”) to the Protection of Personal Information Act (“POPIA”) have been published in December 2018. However, these Regulations will only come into effect on a date to be determined by the Information Regulator. 

The Regulations essentially address a number of procedural aspects under POPIA, of which a few are especially important to take note of for your business, once they come into effect.

The Regulations contain a number of prescribed forms which among others regulate how a data subject can object to the processing of their personal information and how a data subject can request the correction, destruction or deletion of personal information.

Also of importance for businesses that engage in direct marketing, is Regulation 6 which provides that a responsible party who wishes to process personal information of a data subject for the purpose of direct marketing by electronic communication must in terms of section 69(2) of the Act submit a request for written consent to that data subject on Form 4 to the Regulations. This Form 4 essentially requires that the responsible party must identify themselves and their contact details, identify the data subject, afford the data subject the option to consent to receiving direct marketing in respect of goods or services by way of a specified method of electronic communication (fax, e-mail, SMS), and have the consent signed. 

Fortunately, “Form” is defined as “a form referred to in the annexures to these Regulations or any form which is substantially similar to that form” [our emphasis]. Therefore, it means that the responsible party could use other means of obtaining the consent as long as it contains the elements prescribed in Form 4 and a record thereof exits. This would in our view, be able to include an “I accept” button or link in an email or on a website or app or even a voice recording of a data subject agreeing telephonically to the direct marketing, as “signature” includes an “electronic signature” which is defined as data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature.

The Regulations also provide more clarity on the responsibilities of an Information Officer such as yourself tasked with responsibility for POPIA at an organisation. Regulation 4 sets out a number of responsibilities for the Information Officer, in addition to that prescribed by POPIA, which include:

•  Developing, implementing and monitoring a compliance framework for protection of personal information. 
•  Ensuring that a personal information impact assessment is done to ensure that adequate measures and standards exist. 
•  Developing, monitoring, maintaining and make available a manual, as prescribed by the Promotion of Access to Information Act, 2 of 2000. 
•  Developing internal measures and systems to process requests for access to information. 
•  Ensuring that internal awareness training sessions are conducted. 

Although these Regulations are not yet in force, they provide a view on some specific compliance aspects that must be considered by your business. Our recommendation is to look at updating your compliance procedures to prepare for these Regulations, or obtain the assistance of a specialist to help you do so.