POPI is here

By Maryke Sher-Lun on 10 September 2020

On 22 June, the President issued Proclamation R. 21 of 2020 listing certain sections of the Protection of Personal Information Act 4 of 2013 (POPI) to come into force from 1 July 2020. These sections are in addition to those which had already come into force from 11 April 2014 under Proclamation R. 25 of 2014.

Between the two proclamations, almost all of POPI is now in force. The only sections which remain outstanding are sections 110 and 114(4), both of which will come into effect on 30 June 2021. These remaining sections relate to the amendment of other laws in order to gather all personal information-related provisions into a single place. The laws which will be amended include the Public Protector Act 23 of 1994, the Promotion of Access to Information Act 2 of 2000, the Electronic Communications, and Transactions Act 25 of 2002, and the National Credit Act 34 of 2005.

This does not mean, however, that everyone is immediately bound to comply with POPI. Section 114(1) of POPI provides that “all processing of personal information must within one year after the commencement of this section be made to conform to this Act ”. In effect, companies have until 30 June 2021 to get their houses in order. In the interim, the Information Regulator is ready to receive voluntary reporting of data breaches. Banks, of course, are already bound to report data breaches in terms of Directive 2/2019 issued by the Prudential Authority in September 2019, and many of us would have already received data breach notifications from banks regarding the recent Experian data breach.

We caution that companies should not wait for next year to begin their compliance work, as full compliance with POPI will potentially involve many months of work. In addition to the potential penalties (fines of up to R10 million and/or imprisonment for up to 10 years, plus the possibility of civil liability to individuals), being able to demonstrate your company’s POPI compliance will shortly become of great interest to both customers and suppliers. In the interim, it's worth noting that the number of cyber attacks in South Africa is on the rise; with the Information Regulator having received 19 voluntary reports of data breaches in the past 4 months alone, and Interpol's July report "Online African organised crime: from surface to dark web " notes that African countries are increasingly vulnerable to cyber-enabled crimes, with the economic loss continent-wide already in the billions of dollars per year. Although the Information Regulator is not yet empowered to enforce POPI, the rise in attacks should encourage companies to comply, and strengthen their security measures, as soon as possible. As frightening as it can be to have to comply with a whole new set of laws, POPI is ultimately a positive step for South Africa and is expected to greatly reduce the potential for misuse of and fraudulent access to personal data. In bringing our data protection laws closer in alignment with EU data protection laws, we hope that POPI will also make South Africa a more attractive location for potential customers and business partners in the EU.

Please note that our blog posts are informal commentaries on developments in the law as at the time of publication and not legal advice. You should place no reliance on our blog posts; we look forward to discussing your particular matter with you.