The question of when the South African Protection of Personal Information Act, 2013 (“POPI”) will come into force has been asked many times since the Bill was signed into law by the president on 19 November 2013.
Advocate Pansy Tlakula, who was appointed as chairperson of the Information Regulator (the “Regulator”) in terms of POPI on 1 December 2016, stated in her “briefing on the work of the Information Regulator” on 13 February 2017, that the majority of the provisions of POPI “will only come into operation once the Regulator is fully operational”. The officials of the Justice Department who were responsible for drafting POPI informed the Regulator in December 2016 that, in their experience, the Regulator will only be up and running in two years’ time. Advocate Tlakula, however, expressed a commitment to shortening the implementation period of the Regulator.
The “Time Table of Activities” lists the first week of April 2018 as the anticipated date of publication of the final Regulations in the government gazette.
Therefore, it is fair to assume that the commencement date of POPI will be proclaimed between the first week of April 2018 and 1 December 2018.
A responsible party (ie, a public or private body or any other person, which, alone or in conjunction with others, determines the purpose of and means for processing personal information) will be given a one-year transition period after the commencement of POPI to comply with its provisions.
In our experience, the roll-out of a comprehensive POPI compliance programme takes six months to two years. It is therefore crucial for companies to start their POPI compliance programmes as soon as possible.