Chairperson of the Information Regulator, Advocate Pansy Tlakula, recently sent a request to President Cyril Ramaphosa to declare that the remaining provisions of the Protection of Personal Information Act, 2013 (“POPIA”) commence on 1 April 2020 (“Commencement Date”).

It is expected that the president will act on this request. A responsible party (ie, a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information) will then be given a one year transitional period after the commencement Date to comply with its provisions. That means that organisations will have to be POPIA-compliant by 31 March 2021.

In our experience, the roll-out of a comprehensive POPIA compliance programme takes six months to two years. It is therefore crucial for companies to start their POPIA compliance programmes as soon as possible.

Compliance with POPIA will include certain mandatory measures, which, among other things, entail:

  • the appointment of an information officer – in the absence of such appointment, this will automatically be the head of the organisation;
  • the making of certain mandatory disclosures to data subjects, including with whom their personal information is shared;
  • the development, implementation, monitoring and maintenance of a POPIA compliance framework;
  • the conducting of personal information impact assessments to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
  • the development, monitoring and maintenance of a manual as prescribed in the Promotion of Access to Information Act, 2000;
  • the development of internal measures, together with adequate systems, to process requests for information or access thereto; and
  • the conducting of internal awareness and training sessions.

It is important to note that section 77H of POPIA provides that “The Information Regulator … may make an assessment … of whether a public or private body generally complies with the provisions of this Act insofar as its policies and implementation procedures are concerned.”

In addition, in terms of section 109(3) “when determining an appropriate fine, the Regulator must consider … any failure to operate good policies, procedures and practices to protect personal information”.