The eventual heralding of POPIA
With President Ramaphosa’s announcement that a large swath of substantive provisions from the Protection of Personal Information Act 4 of 2013 (“POPIA”) will commence from 1 July 2020, the dawn of proper data protection has arrived in SA. This is not too soon, as people are finally recognising not only the immense value and power of personal information, but also the simultaneous dangers same data processing poses for everyday people.
A complete legal overhaul for protecting valuable data
The commencement of the POPIA provisions is truly a massive shift in everyone’s obligations relating to the personal information they handle multiple times every single day. You may not have thought about it, but almost every single engagement you may have with anyone, be it a person or company, involves a constant stream of personal data exchange; either about people or companies. As such, just like all companies had to undertake an almost complete overhaul to their systems when the new Companies Act commenced in 2008, or when consumer relations and rights changed fundamental ways businesses engaged with its consumers with the new Consumer Protection Act of 2008, POPIA heralds another huge shift in corporate and personal responsibilities.
To say that companies alone are tasked with POPIA compliance is short-sighted and incorrect, where in actual fact, anyone who “processes” (which essentially means any sort of engagement with personal data) the personal information of another party needs to comply with the full raft of POPIA obligations (bar a few exceptions). This means that everyone from high-data density organisations (such as schools, medical practices and financial institutions) all the way to single-person operations (like plumbers and advisers) will need to comply with the entire regime of POPIA, and not simply pick-and-choose what they want to comply with. Further, compliance with POPIA includes not only the creation of the outward-facing company Privacy Policy (i.e. the “simple” part), but also the entire restructuring and design of how data is stored and used at a company.
POPIA and other data laws’ essentials
Whilst POPIA compliance my seem extremely daunting to processors of personal data, it can actually be summarised into 3 main focuses, being:
- The creation of a comprehensive and compliant data-subject facing Privacy Policy which satisfies all of the applicable acts;
- The satisfaction of a large range of internal systemic data handling requirements within your operation (what we call the “Actions”); and
- The correct and timeous implementation and provision of all applicable Policies and terms to your data subjects, whether IRL or online.
Many “responsible parties” wrongly assume that just having a Privacy Policy available is enough to satisfy total compliance, but that assumption is actually dangerous. Whilst the Privacy Policy is indeed vital, it is merely the metaphorical tip of the data-compliance iceberg, where holding one out without first satisfying all of the internal data handling requirements, is actually a blatant lie and even a criminal offence.
Further, it is also prudent for all processors of personal data to ascertain if, in conjunction to being governed by POPIA, their processing of personal data may also be subject to foreign data laws which can simultaneously apply, such as the EU’s General Data Protection Regulation (“GDPR”), which is essentially POPIA’s scarier and bigger cousin. Processors should also be aware of the UK’s Data Protection Act (“DPA”), as well as California’s Children’s Online Privacy Protection Rule (“COPPA”).
Getting compliant, and fast
The pending full and proper commencement of POPIA in SA therefore represents a huge shift in the operational requirements for companies, including consequences for its operations, staffing, running costs and even its Terms of Engagement with clients. Lastly, the sanctions for non-compliance are also substantial, so if a person is not incentivised to comply with POPIA in order to remain attractive and safe to its data-savvy customers, the ever-present threat of enforcement sanctions should shock them into complying.
Come to Legalese with all of your data and privacy compliance needs, where after having assisted hundreds of operations with data compliance before, we are poised to assist you practically, cost effectively and as simply as possible!
Thomas Reisenberger – 31 July 2020
Have any questions? Drop us a message below and we’ll be in touch!