POPIA: a quick overview of the South African Data Privacy Law.
After a long wait POPIA is now here.
South Africa promulgated the Protection of Personal Information Act (POPIA) on the 1st July 2020. This has been a long time coming since the legislation was passed by parliament in 2013.
The South African version of the supervisory authority called the Information Regulator was only appointed on the 1st December 2016, and has spent nearly 5 years preparing for the rollout.
The current President Cyril Ramphosa of South Africa promulgated the law and organisations have a grace period until the 30th June 2021 to become compliant.
The office of the Information Regulator has established itself and will manage the transition to a fully fledged and enforced legislation.
A quick reminder, why do we have privacy legislation?
Why do we have privacy legislation in South Africa and increasingly globally? There are a number of reasons. First, it has become very apparent that personal information is being abused by many different kinds of organisations.
Some key concepts in most legislations are:
- Personal information belongs to the individual whose information it is.
- Organisations are entrusted with that information on amongst others, a consensual basis.
- The information must be used purely for the purpose it has been given.
- The information must be protected and not put at risk of theft and abuse.
But let’s be very realistic, it is also all about TRADE, and ensuring trade between countries.
How POPIA was born?
The drafters of the POPIA looked at the current laws from the EU, Canada, New Zealand and the Netherlands amongst others. They realised that South Africa must have laws in place for personal data privacy to be able to take part in the 4th industrial revolution.
Francis Cronje LLM, CIPP, CIPT, contributor to the Act and a well known Information Governance Specialist noted that:
“Although POPIA is largely based on the EU Data Protection Directive of 1995, the POPI Technical Working Committee in Parliament, where he served, also considered aspects of the 2012 GDPR draft before POPIA was enacted in 2013.”
He further states “POPIA reflects a majority of the privacy principles underscored by GDPR. POPIA stems from the constitutional right to privacy, but its enactment and eventual commencement, will remove a whole array of data barriers, hopefully allowing SA to fully become part of the 4th industrial revolution or so-called digital revolution“.
Adequate data protection laws are therefore an imperative set of tools should countries want to participate globally. POPIA should facilitate SA’s participation.
Who is involved, what are the roles within POPIA?
The purpose of POPIA is to protect people from the harm caused to them by their personal information being abused.
The identified role players are three different parties that are affected:
- The Data Subject – this is the person to whom the information belongs.
- The Responsible Party – the person or organisation who requires the information to be processed, this includes individuals, companies, non-profits, and governmental organisations. In GDPR for example this is the controller.
- The Operator – In GDPR this is the processor, these process information on behalf of the responsible party.
The responsible party must process information in accordance with the POPIA regulation. All organisations processing personal information in South Africa have to be compliant.
What penalties are there under the POPIA?
Like with GDPR, our opinion is that initially enforcement and penalties will be more to help guide organisations , but subsequently will be highly enforced and of higher values. Obviously where massive breaches arise and it is obvious that legislation has been ignored, appropriate action will be taken.
The legislation allows for the following penalties:
- A fine of between R1 Million (£46,500 or €51,300) and R10 Million (£465,000 or €513,000) or 1 to 10 years in jail.
- The paying of damages incurred to the data subjects affected.
An area to take particular note of is the relationship between a responsible party and an operator. An operator processing information on behalf of a responsible party should have a breach or a negligent approach to data privacy, the responsible party is liable. Therefore, the responsible party must ensure all compliance measures are in place and a full due diligence has been undertaken at the operator.
What are the drivers in the market for POPIA compliance ?
We do see POPIA compliance being pushed onto medium and smaller organisations from larger organisations that want to ensure the compliance of their supply chains to reduce their risks of breaches and litigation. This is already evident in South Africa where banks, health care groups, insurance companies that have been active with their compliance programs for a number of years, are starting to ask their supply chains and operators to prove compliance. This situation is a big driver for the market.
In addition, compliance really makes common sense. Why would organisations not want to use the regulation as a driver for improving their operations and protecting the information of individuals with whom they interact; their clients, suppliers and most importantly their employees.
Compliance and protection of data should be obvious for the following reasons:
- A top of mind topic in the world of hacks, attacks, fake news and cyber-crime.
- A key to competitiveness and able to transact and maximise an organisations potential.
Key tasks to perform on the road to POPIA compliance.
Compliance is a collaborative and ongoing process within an organisation. It must involve all of an organisation to be truly successful ad become a part of the culture.
The head of an organisation is automatically the information officer and can appoint deputy information officers. The details of these people must be logged at the Information Regulator by the 3rd March 2021.
Any organisation needs to have the following in place:
- A meaningful privacy notice available at all points of information collection.
- Compliance in the areas of consent management, direct electronic marketing, human resources and IT and security.
- Trained and privacy aware employees, who have read and accepted the relevant governance and policy documents.
- The ability to respond to access to information requests, of various types, access, objection, correction and deletion.
- The ability to record any data breaches that have occurred and to report these to the regulator as well the the people whose information has been compromised where relevant.
- A full understanding of who they process information about, why they process it, what information they process and keep and which external parties process or share the data.
- An operator management process that ensures all operators have secure processing in place and will report any breaches that occur..
- Other areas of compliance for transfer to other countries, automated decision making and processing children’s information.
Towards a normalisation of data protection laws
South Africa has now conformed with new international norms for having laws in place to protect the information of people held by organisations. The country will continue to participate in the data driven global economy in the coming decades.
Having the POPIA laws in place is a great opportunity for South Africa to ensure that all organisations have appropriate risk management, oversight systems and technology in place and creates information management structures that enable the post COVID-19 rebuilding.