The Protection of Personal Information Act is here, is your business compliant?
The country has been eagerly awaiting the implementation of the remaining provisions of the Protection of Personal Information (PoPI) Act 4 of 2013, the majority of which President Cyril Ramaphosa has announced will come into force on 1 July 2020.
PoPI Act is a privacy statute which provides for information protection requirements applicable to organizations in the private and public sectors. The consequences of non-compliance with PoPI Act are significant and include hefty administrative fines of up to ZAR10 million. Such a fine will be in addition to the reputational damage an organisation may suffer as a result of failing to comply with PoPI Act.
Certain provisions of PoPI Act, including those relating to the establishment of the Information Regulator, came into effect as far back as 2014. Most of the remaining provisions will commence on 1 July 2020.
These provisions pertain to, amongst others: (i) the conditions for the lawful processing of personal information including its collection, use, storage, transfer, and disclosure; (ii) the regulation of the processing of special personal information such as information on a person’s health, race, religious affiliation or political persuasion; (iii) provisions regulating direct marketing; and (iv) procedures for dealing with complaints and the general enforcement of PoPI Act.
PoPI Act will have far-reaching implications for the processing of the personal information of individuals. For example, businesses that collect, hold, transfer and use individuals’ personal information will have to do so under certain conditions.
PoPI Act, however, provides for a 12-month transitional period, which means that organisations that process personal information must ensure that they comply with the provisions of PoPI Act by 1 July 2021. Having said this, the President has stated that organisations should attempt to comply with the provisions of PoPI Act as soon as possible.
Organisations are encouraged to take steps now to ensure that they comply with the provisions of PoPI Act. These steps may include:
- conducting an audit to establish what personal information and special personal information is held by the organisation in relation to customers, suppliers, employees, members of other data subjects, where such information is held, by whom this information is held, and for what purpose.
- appointing an information officer and potentially deputy information officers for purposes of ensuring compliance with PoPI Act.
- developing standard clauses around data protection and group-wide data protection policies and protocols.
- ascertaining whether any personal information is collected in one place and transferred to another, especially if it is transferred to a foreign country.
- reviewing of direct marketing activities, if any.
- implementing technical and organizational measures to mitigate against security breaches. This may include implementing a cybersecurity incident response plan.
- conducting training sessions for relevant stakeholders to ensure that there is an understanding of PoPI Act and that the organisation’s systems are compliant.