Protection of Personal Information Act finally commencing on 1 July 2020
30 Jun 2020
The President has proclaimed that the remaining sections of the Protection of Personal Information Act, 2013 (“POPI”) will at last now come into effect.
The operative sections of POPI that deal with the lawful processing of personal information, regulation of the processing of special personal information, the codes of conduct issued by the Information Regulator, regulation of direct marketing by way of unsolicited electronic communication and the general enforcement of POPI will come into effect on 1 July 2020.
POPI is applicable to any person, business or entity that processes personal information of data subjects, for example profit companies, non-profit companies, hospitals and medical practitioners, medical schemes, insurers, attorneys, estate agents, government departments, state owned companies and entities and municipalities (called “responsible parties”), and also to any person, business or entity that processes personal information on behalf of a responsible party, for example IT vendors or medical scheme administrators (called “operators”).
Data subjects are the natural persons or juristic persons whose personal information is processed by responsible parties and operators. Data subjects range from being clients, members or subscribers of responsible parties, for example, to their employees.
Responsible parties and operators will have 12 months from 1 July 2020 to become fully compliant with the POPI Act. This means that they will have to take the necessary measures to ensure that any personal information of data subjects that they process is appropriately protected against the loss thereof, or the unauthorised access thereof by third parties. Practically, in order to implement such measures, responsible parties and operators will have to –
- appoint an information officer;
- identify and asses the nature and extent of personal information that they process;
- identify current POPI compliance gaps in their processing procedures and processes;
- formulate a POPI compliance framework and the necessary POPI compliance policies and procedures;
- review all operational and employment agreements, as well as online operations and terms and conditions;
- provide training to employees on their POPI obligations and the implementation of their POPI policies and procedures.
- Vicarious liability for data breaches – Beware!
- POPI in relation to community schemes
- Commencement of certain sections of the Protection of Personal Information Act
- The regulatory status quo of cryptocurrency exchanges
- The role of directors in the age of cybercrime