It has been officially announced that numerous sections of the Protection of Personal Information Act, 2013 (POPIA) will commence on 1 July 2020. This means that, after a process that lasted several years, South Africa will soon have effective data protection legislation.
Although the entire POPIA will not commence, most of the important substantive sections will take effect next month. In order for organizations to get their compliance in order, there will be a 12 (twelve) month phase in period.
All businesses in South Africa should now review their personal information processing and ensure that they will be able to comply with POPIA’s requirements. Personal information is any information that relates to a living, identifiable natural person or an existing juristic person (e.g. a company). In order to process such information, one must comply with the information processing conditions contained in POPIA.
POPIA compliance requires a comprehensive and ongoing information management process.
A business can take various steps to start this process, including:
- Establish a POPIA task team.
- Create the necessary processes, notices and other required documentations.
- Ensure appropriate training of all relevant personnel.
- Review the organisation’s processing of personal information and the type of information processed.
- Check whether personal information will be transferred across South Africa’s borders and ensure compliance with POPI’s requirements relating to this.
- Make sure that all direct marketing will comply with POPI’s requirements.
- Review information security and safeguards.