Protection of Personal Information Act (“PoPIA”)

The PoPIA is South Africa’s equivalent of the EU GDPR. It sets some conditions for you to lawfully process the personal information for both natural and juristic persons (“data subjects”). The PoPIA does not stop you from processing and does not require you to get consent from data subjects to process their personal information. However the organisation processing such personal information is responsible for complying with the conditions as set out in the PoPIA and the regulations that was published on 14 December 2018. The PoPIA regulations will commence once the commencement date is announced and Companies and Organisations will have one year from that date to comply with the Act and its regulations. Failure to comply with the provisions of PoPIA in some instances could lead to imprisonment of up to 10 years.

So what needs to be done in this grace period to ensure that your organisation is fully compliant by the end of this grace period?

1. Companies and organisations should have a Promotion of Access to Information Act (“PAIA”) manual in place. Private companies were given until 31 December 2011 to submit their PAIA manual to the South African Human Rights Commission (“SAHRC”). However private companies operating in certain sectors were given an extension until 31 December 2015 to submit their PAIA manuals to the SAHRC. The Minister of Justice published a further exemption to certain category of private companies to submit their PAIA manuals to 31 December 2020. These companies were those who employed less than 50 employees and whose turnover is less than that set out in the notice for each sector.
2. Companies should also have already conducted a personal information impact assessment to ensure that measurements and standards were in place in order to comply with the conditions for the lawful processing of personal information.
3. Companies need to develop internal processes and standards together with systems to handle requests for information.
4. Companies also need to provide adequate internal awareness regarding the PoPIA and its regulations.

It is therefore my advice that the Information Office of the company start implementing the above to ensure compliance with PoPIA when it comes into effect.