PoPIA Regulations

• South Africa

• Other
• Privacy, data protection and cybersecurity
• Regulatory investigations and enforcement

14-01-2019

The Protection of Personal Information Act, No. 4 of 2013 (“PoPIA”) seeks to govern the processing of personal information, and in so doing, imposes a variety of obligations which will need to be complied with.

Although the commencement date has not yet been announced, on the 14th of December 2018 the Information Regulator published regulations to the Act (the “Regulations”), suggesting that PoPIA’s commencement may be forthcoming.

The Regulations

The Regulations deal with a number of procedural aspects, and of particular note and importance are the responsibilities imposed upon the information officer.

In relation to a private company, the information officer will be the CEO, or a person duly authorised by the CEO for that purpose.

The Regulations require that, in addition to any other responsibilities, an information officer must:

• develop, implement, monitor and maintain a compliance framework;
• perform a personal information impact assessment;
• develop, monitor and maintain a manual as prescribed in sections 14 and 51 of PAIA (which must be made available to any person upon request);
• develop internal procedures which adequately process requests for information; and
• conduct internal awareness sessions.

Compliance with the Regulations

Should an entity not comply with the provisions prescribed by PoPIA it may be found guilty of an offence which (aside from reputational harm) may be punishable by imprisonment or a fine. Fortunately, upon the commencement of PoPIA there is a grace period of one year to allow all affected parties to align their internal processes accordingly.

Notwithstanding the grace period, given the wide-ranging implications of PoPIA it may be prudent to begin making the necessary preparations to ensure compliance can be achieved within the time-period.