The gradual unpacking of POPIA


2020 has seen the implementation of various laws and regulations, adding to the litany of these laws and regulations is the much anticipated data protection law which is almost becoming fully operational.

On 22 June, the President of South Africa announced the commencement dates for most of the substantial remaining sections of the Protection of Personal Information Act, 2013 (“POPIA” or “Act”). Such sections will commence on 1 July 2020 and 30 June 2021. After seven years, South Africa is two sections away from having a fully operational data protection law and personal information Act.

POPIA was signed into law on the 19th of November 2013, the Act’s objective is to regulate and protect the processing, sharing, use of personal information, storing another entity’s personal information by public and private bodies and holding them accountable should they abuse or compromise personal information in any way. “Personal Information” is defined in POPIA as information relating to an identifiable, living natural person or juristic person (sole proprietors, companies, close corporations etc). This includes but it is not limited to:

  • Email addresses, contact details, phone numbers etc;
  • Age, birth date, ethnicity, race, sex etc; and
  • Biometric information, blood type, medical reports etc.

The incremental implementation of POPIA started on 11 April 2014 when the President had signed a proclamation declaring some parts of POPIA effective from 11 April 2014 and after years of inaction on the 14th of December 2018 Regulations pertaining to POPIA came into effect. Two years later the President announces that the majority of POPIA will be effective from 01 July 2020. While, some have welcomed the recent announcement by the President, most have questioned this incremental implementation of the Act and in some parts the gradual implementation is met with frustration and confusion. Below we answer some of the questions, elucidate what the announcement means, and address potential concerns.

  1. Which sections have come into full force and effect?


Sections 2 to 38; sections 55 to 109; section 111; section 114 (1), (2) and (3) which commenced on 1 July 2020 these sections pertain to, amongst others—

  • the conditions for the lawful processing of personal information;
  • the regulation of the processing of special personal information;
  • Codes of Conduct issued by the Information Regulator;
  • procedures for dealing with complaints;
  • provisions regulating direct marketing by means of unsolicited electronic communication, and
  • general enforcement of the Act.

Section 114(1) is of particular importance as it states that all forms of processing of personal information must within one year after the commencement of the section, be made to conform to the Act.

This means that entities (both in the form of private and public bodies) will have to ensure compliance with the Act by 1 July 2021. However, it stands to reason that private and public bodies should attempt to comply with the provisions of the Act as soon as possible in order to give effect to the rights of individuals.

Why the delay of the rest of the remaining sections which have not come into effect?
The reason for the delay in relation to the commencement of sections 110 and 114(4) – which are to commence on 30 June 2021 – is that these sections pertain to the amendment of laws and the effective transfer of functions of the Promotion of Access to Information Act, 2000 (“PAIA”) from the South African Human Rights Commission to the Information Regulator.

In this regard, the Commission must finalise or conclude its functions referred to in sections 83 and 84 of PAIA and all mechanisms must be in place for the Regulator to take over these functions.

What does this mean for organizations?

Both private and public organizations need to ensure that they adhere to the sections that have come into full force and effect. To ensure that they process personal information in a manner that is lawful, reasonable, for a specific purpose and have the necessary consent to process such personal information. POPIA makes it illegal to collect and process and even store personal information in a manner not in accordance with the Act.

Legal implications of non-compliance?

The enforcement of POPIA means an obligation exists for organizations to take stock of their legal duties and obligations as well as their constitutional responsibilities. POPIA makes provision for fines of up to R10 million and/or a jail sentence of up to 10 years. Other legal implications of non-compliance include paying compensation to data subjects for damages they have suffered and added to this monetary loss is the reputational damage, the loss of clients, customers and employees and the failure to attract new clients and customers.

It is imperative that any natural or juristic person who processes personal information must become familiar with the Act and take the necessary steps to ensure compliance. While the commencement of most of the provisions of the Act was on 1 July 2020, the deadline for organizations to comply is 1 July 2021. Natural and juristic persons alike therefore have a grace period of a year to get their house in order and use this time effectively to “POPIA proof” their organizations.

Lebogang George, Consultant, Tumbo Scott Inc

Related Posts