[Download pdf directly above]
Previously the Information Regulator, Advocate Pansy Tlakula, requested President Cyril Ramaphosa to announce 1 April 2020 as the commencement date for the Protection of Personal Information Act (POPI Act). Since being signed into law on 19 November 2013, and published in the Government Gazette on 26 November 2013, the public and private sectors have waited with bated breath for the commencement date to be announced.
Although certain limited sections of the POPI Act are already operational, those sections enforcing compliance and penalties are not yet in effect. Once the POPI Act does commence, entities will only have one year’s grace period to ensure compliance. Now is the time to ensure that your business is not caught by a curveball.
When is the new expected date?
Given the circumstances in respect of COVID-19 it is understandable that the POPI Act commencement date was not announced as 1 April 2020. Pending any further statements made by the Information Regulator we cannot say for certain when the POPI Act’s commencement date will be.
However, considering that Adv. Tlakula’s term is set to end on 1 December 2021 we believe that her office would want to ensure that the POPI Act is in full effect by then.
Therefore, given that the one year’s grace period will still need to run its course, we guesstimate that an announcement regarding the commencement date will take place sometime during the second half of 2020.
What’s the big deal with data privacy during the lockdown?
South Africans have been plunged into unchartered territory, with many entities needing to ensure that they adjust their way of operating to ensure that they survive the lockdown and financial consequences thereof. These adjustments include the manner in which personal information of others is managed.
Data security amid the global coronavirus pandemic is more important than ever, with the Information Regulator, in a recent press statement, encouraging private and public bodies to strengthen their data privacy compliance measures, providing, amongst other things that, “Considering the prevalence of data breaches and cyber-crime in our country and globally, the Regulator calls on both public and private bodies to increase their security measures around their digital and physical operating systems so as to protect the personal information of everyone against unlawful or unauthorised access”. In addition, the Information Regulator issued a Guidance Note on the processing of personal information in the management and containment of COVID-19 pandemic.
It is therefore imperative for businesses and business owners alike to use this time to put sufficient systems, processes and measures in place to ensure compliance with the POPI Act as, once fully effective, the Act will place specific obligations on businesses to process personal information within the confines of its provisions.
Several jurisdictions around the world already have fully effective data protection laws, e.g. the European Union’s General Data Protection Regulations (GDPR), which the POPI Act was guided by. The operation of the GDPR and other countries’ data protection laws will no doubt serve as a notable illustration for how the POPI Act may, in its own right, operate and require entities to process personal information in general, and also specifically during a global health pandemic such as COVID-19.
Cyber-crime is also ripe during a lockdown with many businesses continuing or starting to function electronically even if their operations are severely limited. Don’t let your business become a statistic. Be proactive! You may not be able to control the global pandemic but your business can put measures into place to ensure that it continues to operate in a manner that protects its assets, upholds the constitutional right to privacy, avoids a breach of personal information and prevents unnecessary damages to its financial position and reputation.
What you can do now
Although compliance with the POPI Act is not a “quick-fix” exercise, as we have mentioned before, here are four things, as an absolute minimum, which you can do during the nation-wide lockdown to ensure that your business is not flattened by a POPI curveball:
- Improve your knowledge by doing an online POPI Act course. You may find yourself with some extra time on your hands given the compulsory nation-wide lockdown so, take advantage of this spare time and educate yourself to become knowledgeable on the subject of all things relating to the protection of personal information and how the POPI Act may affect your business in the way it currently operates.
- Get a PAIA manual in place for your business. The Promotion of Access to Information Act 2 of 2000 (PAIA) is the other side of the coin.PAIA regulates access to such personal information. It aims to uphold a person’s right to have access to information as contemplated in section 32 of the Constitution. PAIA requires entities (public or private) to have a manual in place that serves as a roadmap on how to request information/ records held by such entities.
Manage your data protection obligations today
We are not sure how long the COVID-19 pandemic will last or whether the lockdown will be extended again. However, we are certain that once the lockdown has passed it is highly unlikely that it will be “business as usual”.
Once the grace period ends and the POPI Act is in full effect, businesses that fail to comply, irrespective of whether it is intentional or accidental, can face severe penalties. The POPI Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
In these interesting and unique times that we find ourselves in it is imperative that you remain in control of the controllable and that you are able to hit that curveball out of the park.
Our legal experts are working remotely and are available should you require advice and legal assistance to ensure that your current business systems, processes and operations are safe and secure and in line with the requirements of the POPI Act.
Visit www.popipack.co.za for various technical and advanced privacy tools we have to offer in cooperation with our business partners.
VDT Attorneys, your go-to legaltech partner for everything related to the protection of personal information and data privacy.