On December 14, 2018, the Information Regulator in South Africa published the Regulations to the Protection of Personal Information Act, 2013 (POPIA). They are very similar to the draft Regulations that were first published in 2017 and will come into effect at the same time as POPIA. Here are some things that you should know:
- The Regulations are largely administrative in nature and provide various prescribed forms, including forms for lodging objections to the processing of personal information, requesting the correction or deletion of a data subject's personal information, and for requesting a data subject's written consent to process personal information for purposes of direct marketing via electronic communications. It is unclear whether it will be mandatory for businesses engaged in direct marketing to use this prescribed form when seeking consent of a data subject (other than a customer). Alternatively, it may be possible to obtain consent electronically using an opt-in checkbox or another means provided that the same content of the form is included.
- The Regulations set out further duties for information officers than those prescribed in POPIA. These duties include ensuring that a compliance framework is developed, implemented, monitored and maintained and that internal measures are developed to process requests made to the body. A Promotion of Access to Information Act (PAIA) Manual must also be developed and maintained and the information officer must ensure that internal awareness sessions in relation to POPIA are conducted.
- An important feature is the requirement for information officers to conduct personal information impact assessments (also known as data protection impact assessments in other jurisdictions) to ensure that adequate measures and standards exist in order to comply with POPIA. Data protection impact assessments are mandated under the EU's General Data Protection Regulation (GDPR) where the processing of personal information is likely to expose data subjects' rights and freedoms to high risk. The requirement to conduct a personal information impact assessment is in line with global data protection trends. However, it appears that this impact assessment must be carried out regardless of whether or not the data subjects' rights and freedoms are likely to be exposed to high risk.
- Unfortunately, the Regulations do not provide forms for giving notice of data breaches or for seeking prior authorization from the Information Regulator in circumstances that require prior authorization. Once POPIA comes into effect, prior authorization will be required when special personal information or personal information of children is transferred to locations that do not have adequate data protection laws. It will also be required when processing information about a data subject's criminal behavior or unlawful or objectionable conduct on behalf of third parties and in other circumstances prescribed by POPIA.
- There will be a one-year grace period within which to comply with POPIA and the Regulations once POPIA comes into effect. Therefore, we encourage businesses to ensure that they appoint information officers as soon as possible and that they receive training and familiarize themselves with their obligations under POPIA.
- Data protection impact assessments are now required.
- Information officers have additional duties and responsibilities.
- There are prescribed forms for lodging objections to the processing, correction or deletion of personal information, requesting consent for direct marketing and for the issuing of a code of conduct as envisaged in POPIA.