What’s Going On With POPI?

By now, many South Africans will have heard of the Protection of Personal Information Act (POPI), a law that was signed into the books almost four years ago. Designed to govern how personally identifiable data such as ID numbers, dates of birth, email addresses and car licence plates is allowed to be collected, stored and used without affecting citizens’ rights, it’s a critical piece of legislation  for the digital age.

Business owners should have been preparing for some time to be compliant with its key points, but they’ll also have been frustrated that the main aspects of the law are not yet enforceable, and will not be until a year after the regulations governing the law are adopted by parliament. Should businesses invest now to become POPI-compliant, or defer the cost until later?

Clarity is coming, it seems, as in early September the newly formed Office of the Information Regulator published a draft set of regulations, which are open for public comment until 7 November 2017. It’s a positive step forward towards the realisation of the law.

The long delay hasn’t been fully accounted for, but at least in part it’s because the Office of the Information Regulator itself didn’t exist until last year.

“They didn’t want the farce that occurred with the Consumer Protection Act (CPA), where the law was implemented, but then the CPA required there to be a consumer protection body, which didn’t exist, making it impossible to comply with the CPA,” says Nick Hall, an associate at law firm Michalsons. “We do have an information regulator now, so bodies can be in compliance with POPI.”

The current draft regulations, however, don’t offer much in the way of guidance for firms looking to become POPI-compliant. The bulk of the document is taken up with example forms for POPI-related administrative purposes and commentary for interacting with the regulator.

Looking to Europe

While POPI requirements continue to progress forward, however, a regulation adopted by the European Union in April 2016 should probably now be a more pressing concern for many businesses. The General Data Protection Regulation (GDPR) dictates that any entity or individual which processes the personal data of an EU citizen must adhere to European law, regardless of whether or not that business has offices in the EU.

What that means is that, if a South African software firm, for example, has customers in the EU about which it gathers data, it must be GDPR-compliant.

GDPR is much more stringent than POPI, and effectively represents the next generation of online privacy laws. It becomes enforceable in May next year – roughly the same time experts expect POPI to be signed into law locally.

“We missed first prize, essentially,” says Hall. “Ideally, if POPI regulations had been adopted in May this year, local businesses would have had a year to meet compliance with both it and the GDPR. The reason is that, once POPI is signed into law, there’s a one-year grace period.

“Quite frankly, though, local businesses shouldn’t have waited this long,” he says. “Becoming compliant with GDPR and POPI takes time – that’s why grace periods exist. The laws aren’t going to change.”

POPI’s eight points of compliance

Once POPI becomes law, South Africans will have to comply with eight conditions:

1.  All principles contained in POPI and all measures that effect these principles must be complied with.

2.  Personal information must be processed responsibly and only with the consent of the data subject.

3.   Personal information can be processed only for clearly defined and legal reasons.

4.   Personal information may not be repurposed for a secondary intent unless it’s compatible with the original purpose for gathering it.

5.   Data collectors have to look at processes that allow their data subjects to update their personal information.

6.   Data subjects must be made aware that entities or individuals are collecting their personal information.

7.   Personal information has to be kept secure against theft, loss, modification, destruction or disclosure against the wishes of the data subject.

8.   Data subjects have the right to request whether their data is still being held, as well as whether any changes, modifications or deletion of their personal information have been made.

Fast fact

POPI applies to both public-sector and private-sector data processing. Your local municipality will need to be compliant with the new regulations too.