Despite the fact that the Protection of Personal Information Act (“PoPI”) was signed by the president on 19 November 2013, a commencement date has not yet been established. It seems as though PoPi is edging toward a commencement date as the Portfolio Committee on Justice and Correctional Services recently recommended candidates for appointment to the board of the Information Regulator.
Our IP Commercialisation team has been watching the development of PoPI in recent years and believe that the importance of this law coming into force cannot be overstated. The common law does not provide a navigable framework for holding South African institutions accountable when collecting, processing, storing and sharing another entity’s personal information which necessitated this specialist legislation.
PoPI is a comprehensive piece of legislation covering personal information and will go a long way toward entrenching the right to privacy as envisaged by Constitution of South Africa. The right to privacy is protected through PoPI as it clearly defines what constitutes the unlawful collection, retention, dissemination and use of personal information.
We had a few questions for Danie Strachan, the PoPI expert on our IP Commercialisation Team.
IP Live: Does PoPI have an impact on IP commercialisation?
Danie: Yes, in various respects. For example, many organisations commercialise copyright in photographs and compilations of information. These might include personal information, and the relevant organisations would have to make sure that they comply with PoPI’s requirements in future.
IP Live: How close do you think to a PoPI commencement date?
Danie: The appointment of the Information Regulator’s board members must still be confirmed and then they need to start operations. Importantly, the regulations must still be drafted. As such, it is not very likely that the commencement date will be in this year, but we might see a commencement date in 2017. Once a commencement date has been established companies will have 12 months to comply with the provisions of PoPI.
IP Live: How much work is it going to take for the average company to be compliant?
Danie: This depends on the nature of a company’s operations and business. However, compliance will take quite a lot of effort, audits, meetings and drafting and updating of policies and documents.
IP Live: What steps should any company be taking right now?
Danie: It is important to do a high-level analysis of the personal information in the company. Identify the risk areas and start working on this. A company should appoint a task team to take up responsibility for PoPI compliance and readiness.
IP Live: Do you think twelve months is enough time to be PoPI compliant?
Danie: It might be, although some organisations will need more time. But you have the legislation available to you today, so why not start right now?
For assistance or advice regarding PoPI, click here to make contact with Danie Strachan