South Africa’s long awaited data privacy laws have finally come into force, giving anyone processing personal information in the country a 12-month grace period to ensure that they comply with the requirements of the Protection of Personal Information Act (PoPI).
From July 1, 2021, any non-compliance with PoPI will have consequences. Enforcement mechanisms under PoPI include penalties up to R10m ($590,500) civil proceedings instituted by data subjects, and criminal offences and fines in some circumstances.
The sections that have commenced on July 1, 2020 regulate how personal information (which is any information that can identify and infringe the privacy rights of a natural or juristic person) may be processed in South Africa or transferred across borders. Anyone processing personal information will now have an obligation to notify the Information Regulator of any unauthorised access to personal information, especially with the growing number of cyber breaches.
The sections that are in force from 1 July 2020 include:
- The need for any processing to be with the consent of the data subject or in the circumstances permitted by PoPI;
- The conditions for lawful processing of personal information (including: ensuring that processing of personal information is adequate, reasonable and not excessive; ensuring that personal information is retained only as long as is necessary; appropriate mechanisms in place to inform data subjects of personal information being collected; and the notification of data breaches to affected data subjects and the Information Regulator);
- The limitations on processing special personal information (for example, children’s information, health information, race, biometrics);
- Codes of conduct issued by the Information Regulator;
- Procedures for dealing with complaints;
- Provisions regulating direct marketing by means of unsolicited electronic communication; and
- Enforcement.
Sections relating to the amendment of laws and the effective transfer of functions under the Promotion of Access to Information Act, 2000 to the Information Regulator will only come into force on June 30, 2021. The repeal of data privacy provisions in the Electronic Communications and Transactions Act, 2002 will only take effect on June 30, 2021.
Industry pundits have warned organisations to not underestimate how quickly the 12 months will pass because there is a lot to do to become compliant.
Experts have argued that serious consideration has to be given to the personal information that the organisation processes, and how this creates risk from a reputational, commercial and enforcement perspective.
Raising awareness of the extent of the risks and the prevention action needed is the first step to identifying appropriate, practical and business suitable steps to mitigate the risks and ensure compliance with PoPI.
Click below to share this article