On 22 June 2020, the effective commencement of the Protection of Personal Information Act, 2013 (POPI) was gazetted as 1 July 2020. 

Anyone processing personal information in South Africa will have a 12 month grace period to ensure that they comply with the requirements of POPI.  After 1 July 2021, any non-compliance with POPI will have consequences. Enforcement mechanisms under POPI include penalties up to R10 million, civil proceedings instituted by data subjects, and criminal offences and fines in some circumstances. 

What comes into force on 1 July 2020? 

The sections that will commence on 1 July 2020 regulate how personal information (which is any information that can identify and infringe the privacy rights of a natural or juristic person) may be processed in South Africa or transferred across borders.  Anyone processing personal information will now have an obligation to notify the Information Regulator of any unauthorised access to personal information, especially with the growing number of cyber breaches. 

The sections that will be in force from 1 July 2020 include: 

• The need for any processing to be with the consent of the data subject or in the circumstances permitted by POPI;
• The conditions for lawful processing of personal information (including: ensuring that processing of personal information is adequate, reasonable and not excessive; ensuring that personal information is retained only as long as is necessary; appropriate mechanisms in place to inform data subjects of personal information being collected; and the notification of data breaches to affected data subjects and the Information Regulator);
• The limitations on processing special personal information (e.g. children’s information, health information, race, biometrics, etc);
• Codes of conduct issued by the Information Regulator; 
• Procedures for dealing with complaints; 
• Provisions regulating direct marketing by means of unsolicited electronic communication; and 
• Enforcement.

Sections relating to the amendment of laws and the effective transfer of functions under the Promotion of Access to Information Act, 2000 to the Information Regulator will only come into force on 30 June 2021. The repeal of data privacy provisions in the Electronic Communications and Transactions Act, 2002 will only take effect on 30 June 2021. 

Act now

Organisations should not underestimate how quickly the 12 months will pass because there is a lot to do to become compliant.  

Serious consideration has to be given to the personal information that the organisation processes, and how this creates risk from a reputational, commercial and enforcement perspective. This can be efficiently managed through a POPI compliance audit. Such an audit will identify risks or gaps which the organisation may not have been aware of, and will implement measures to address those risks. Awareness of the extent of the risks and the prevention action needed is the first step to identifying appropriate, practical and business suitable steps to mitigate the risks and ensure compliance with POPI.

Written by Rosalind Lake and Priyanka Naidoo, Norton Rose Fulbright