THE LONG WAIT TO ENFORCEMENT
The Protection of Personal Information Act (POPIA) was first tabled in 2005. In 2013, the President signed off the act. Subsequently, a few developments were established, we saw the appointment of the Information Regulator in 2016 and most recently in 2019 the final regulations of the act were published. These developments have certified for most who were in doubt that the POPIA should be taken seriously as it is here to stay.
In January 2020, the Information Regulator confirmed that 2020 will be the year that POPIA comes into effect despite the delays which have been experienced since the time the act was first table in 2005. The Information Regulator has further raised a desire to have POPIA in force by Quarter 2 (Q2) of 2020.
WHAT DOES THIS MEAN?
Organisations have been waiting in anticipation for the commencement date to be proclaimed. This will cause the act to be enforceable. While the actual date has not been proclaimed, the Information Regulator has stated with certainty that 2020 is the year that POPIA will come into effect.
This means the wait is almost over – South African organisations and individuals equally can boldly say that there is legislation that sets out to protect the privacy of personal information belonging to South African citizens and entities. While this is exciting news – a key to point to note is that the grace period of 1 year which organisation will be given to have their ducks in a row starts immediately from the commencement date.
HOW WILL YOU DEMONSTRATE COMPLIANCE?
As with any legislation or regulation, there is a requirement to ensure that it is upheld. POPIA requires organisations to demonstrate that they can comply with the requirements for personal information privacy under the provisions of POPIA. In order to demonstrate this, organisations will be given a grace period of 12 months to attain compliance. Some organisations have taken a proactive approach and have begun their information privacy compliance journey even though the commencement date has not been proclaimed. While others have been stuck with the “where do we start” question.
Those who have already embarked on their personal information privacy compliance journey can attest that 12 months is not enough to become compliant with the requirements of POPIA. Therefore organisations need to act fast in order to be able to demonstrate such compliance.
WHY DO WE NEED TO BE CONCERNED WITH POPIA?
In 2019 it was reported, based on a survey conducted in one of South Africa’s leading business technology media house’s platform, a majority of organisations did not feel that their organisation would be ready for POPI if it was to become enforceable and as such would face reputational damage if fines for non-compliance were imposed.
Only 34% of the survey respondents felt their organisation would be ready to meet the requirements of POPIA. Non-compliance with POPIA can lead to severe penalties. The act makes provision for fines of up to R10 million and even a jail sentence of up to 10 years, depending on the seriousness of the breach.
The world is moving towards information protection, privacy and security, we have seen this more practically with the implementation of data protection legislations and regulations across the globe such as the General Data Protection Regulation (GDPR), and most recently the California Consumer Protection Act (CCPA).
In the information driven age that we operate in – information and data is now a key asset to organisations and the number 1 target for criminals. Some can go as far as to say that information and data breaches inevitably happen due to the increased demand and use of information.
However, information protection legislations and regulations such as POPIA and GDPR aim to ensure that those who collect and manage personal information are obliged to protect it from misuse and exploitation, as well as to respect the rights of information owners – or face penalties for not doing so.
Organisations need to check and ensure that they can demonstrate compliance with the requirements of POPIA before the date of commencement as the 12-month grace period MAY not be enough should they decide to wait for the “formal proclamation”. The office of the Information Regulator is progressing , organisations should make sure that they don’t get left behind – the best time to act is NOW.