South Africa’s data protection law, the Protection of Personal Information Act 4 of 2013 (POPIA), was signed into law in 2013. It was enacted to give effect to the constitutional right to privacy which includes the right to be protected against the unlawful collection, retention, and dissemination of data. Our thought of the week addresses three of the often-asked questions in respect of POPIA.
- What is the purpose of POPIA?
- What is considered personal information?
- When will POPIA be implemented?
Ever since, business has been advised that POPIA’s coming into full operation was imminent, but it is yet to happen.
1. What is the purpose of POPIA?
The Act aims to promote the protection of personal data “processed by public and private bodies” and to establish “minimum requirements” for processing personal data. It furthermore empowers the Information Regulator “to perform certain duties and functions” in terms of POPIA in respect of the issuing codes of conduct, protecting the rights of persons as regards unsolicited electronic communications and automated decision making and to “regulate the flow of personal information across the borders of the Republic”. Ultimately, businesses will have to comply with the POPIA requirements in respect of the data they collect and how they use such data.
2. What is considered personal information?
The Act defines personal information as any data that can be used to identify a person. In short, it is “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.”
3. When will POPIA be implemented?
In an interview, the Information Regulator indicated that they have asked the President to commence POPIA “by the beginning of the financial year”. The Government’s financial year runs from 1 April to 31 March. This means if the Act is implemented, all parties will have a grace period of one year resulting in POPIA’s effective compliance deadline being 1 April 2021 (if it comes into effect 1 April this year), some eight years after its enactment.
Having to deal with the COVID-19 pandemic, the financial impact of Eskom, and SAA’s problems, commentators are, however, not convinced that 1 April will be the date for coming into operation. Nevertheless, this should not translate into procrastination. POPIA is (just) good business practice in operation, requiring proper data management processes: It is good business sense to know what data you have, why you have it, and what you do with it.
Whether it comes into effect 1 April or later this year, do what is reasonably practicable in your business to start aligning your practices with the requirements of the POPIA, appoint an Information Officer, train your staff, put policies in place, because ultimately it is coming.
For assistance to become POPIA compliant, contact our POPI Hub at firstname.lastname@example.org.