The substantive sections of the long anticipated Protection of Personal Information Act (Act No. 4 of 2013) (“POPIA”) came into effect on July 1, 2020 and are expected to drastically change the way organizations approach privacy in South Africa. There is a grace period of one year for organizations to fully comply with POPIA or risk substantial fines or even imprisonment.
Never heard of POPIA? Let VeraSafe help you come to grips with this new South African law.
Introduction to POPIA
POPIA is a newly implemented South African law that aims to align South African data protection law with international best practice. It creates a number of privacy rights for data subjects and new rules for how personal information is collected, what it may be used for, when it may be shared, and how securely it must be stored. Parties are therefore obligated to evaluate and, if necessary, amend their privacy practices to comply with POPIA.
The South African Information Regulator (“Information Regulator”), which is similar to a Supervisory Authority in the EU, is responsible for the enforcement of POPIA and has published various guidelines and draft regulations in preparation for the compliance deadline on July 1, 2021.
POPIA is similar to the EU General Data Protection Regulation (“GDPR”) in certain aspects; both regulate the processing of personal information and have rules for notifying third parties of security breaches. However, some key differences should be kept in mind:
- POPIA only applies to personal information processed within the borders of South Africa, while the GDPR applies to the processing of personal data as defined in the GDPR regardless of the location in which the processing takes place.
- Under POPIA, the information collected about legal entities (and not just individuals) will, in some cases, enjoy the same level of protection afforded to individuals.
- Unlike the GDPR, POPIA does not acknowledge the distinct role of joint controllers, and only provides for responsible parties (akin to ‘data controllers’ under the GDPR) and ‘operators’ (akin to ‘data processors’ under the GDPR).
- While the GDPR requires the appointment of a Data Protection Officer only in certain circumstances, under POPIA, all operators and responsible parties are required to appoint an ‘Information Officer’ (similar to the role of the Data Protection Officer). The Information Officer must be either the Chief Executive Officer or the Managing Director of the organization (or another duly authorized person), and will be responsible for overseeing compliance with POPIA and liaising with the Information Regulator.
- Under POPIA, a responsible party must obtain prior authorization from the Information Regulator before processing certain types of information, as well as transferring “special personal information” or personal information of children to a third country that does not provide an adequate level of protection for the processing of personal data. This requirement may have severe consequences for responsible parties that regularly process human resources data or are financial service providers. By contrast, the GDPR requires that organizations engage in prior consultation with supervisory authorities where a data protection impact assessment indicates that the processing would result in a high risk to the rights and freedoms of data subjects.
- The GDPR allows for the imposition of large administrative fines on organizations for non-compliance and allows for these fines to be levied as a percentage of global annual turnover. POPIA goes even further than this, and makes it a criminal offence to fail to comply with certain sections of the Act (e.g. failing to comply with an enforcement notice from the Information Regulator or failing to obtain prior authorization for certain processing activities). If convicted of an offence under POPIA, organizations can be liable to pay a fine of up to ZAR400,000. POPIA also provides for the imprisonment of individuals who commit criminal acts with personal information for a period of up to 10 years depending on the severity of the offence, while the GDPR considers this to be a matter for member state law.
The South African Information Regulator
The Information Regulator will regulate enforcement of both POPIA and the Promotion of Access to Information Act 2 of 2000 (“PAIA”). PAIA is an access to information law that enables individuals to gain access to information about them which is held by both public and private bodies and so there is some overlap between PAIA and POPIA, as the two pieces of legislation work together to balance competing interests and ensure that information is handled appropriately.
The Information Regulator is granted extensive powers to investigate and hold responsible parties liable for non-compliance with POPIA. A data subject is entitled to lodge a complaint with the Information Regulator relating to perceived violations of their rights under POPIA and the Information Regulator may take action about such complaints on the data subject’s behalf.
The Information Regulator has already published various policies and guidance notes and will be benchmarking the POPIA requirements against foreign laws and international best practices when creating further guidelines on the application of POPIA.
Initial Steps To Comply with POPIA
In order to commence with POPIA compliance, organizations should take some initial steps:
- Confirm whether your organization is subject to POPIA. Then conduct a thorough organizational impact assessment to identify how POPIA impacts your organization and ensure that you can identify and implement adequate measures to comply with POPIA’s eight “Conditions for Lawful Processing of Personal Information”.
- Conduct a gap analysis to assess your organization’s current privacy practices against the compliance requirements set by POPIA, assess the organization’s level of compliance, and identify vulnerabilities and risks with regard to POPIA compliance.
Once these initial steps have been completed, there may be updates required to internal and external records, reports, policies and procedures, agreements, data processing practices, data transfer practices, and more. Several of these steps likely require professional assistance to complete the required assessments, identify areas that require updates and change, interpret the regulatory requirements, and document each step to demonstrate compliance.
VeraSafe’s Approach to POPIA Compliance
VeraSafe’s comprehensive POPIA Compliance Program pairs your relevant business units and in-house attorneys with specialized privacy attorneys and experts, information security experts, and project managers, making your POPIA consulting team uniquely cross-functional. In contrast to a more traditional law firm, VeraSafe embraces the complex intersection of IT and law. Have a look at our POPIA Compliance page for further information on the key elements of VeraSafe’s POPIA Compliance Program.
We can help you determine whether POPIA will apply to your organization and prepare a plan of what is needed to meet the POPIA obligations before the deadline on July 1, 2021. To learn more about VeraSafe’s cost effective and business facilitating POPIA Compliance Program, contact one of VeraSafe’s privacy experts today for a free consultation.