As South Africa trudges towards the deadline to comply with the Protection of Personal Information Act 4 of 2013 (POPIA), much remains indicative of the fact that a good number of entities have either little or no strategy in place to comply with the Act.
This stems from not having adequate grasp of what is expected of them by the Act. Obviously, this may be tragic on one hand and costly on the other, especially realising that when POPIA came into effect on 1 July 2020 it provided for a grace period of 12 months (ending 30 June 2021) for entities to put measures in place to comply.
Before 1 July 2020, some sections of POPIA had came into operation as far back as April 2014. Further to this, the law holds that ignorance of the law is not an excuse.
It therefore will become a herculean task for non-complying entities to escape liability after the lapse of the deadline, and this will invite sometimes hefty penalties depending on the circumstances.
This brief discussion will attempt to break down the obligations of POPIA for the benefit of those even least appreciative of the law. The duty to determine how these obligations are applicable to each organisation and come up with systems to comply, indeed remain expected.
As a point of departure, POPIA describes entities that collect and process personal information as responsible parties, and those whose personal information is collected as data subjects.
For the purpose of this article and for avoidance of confusion, we will generally assume that a responsible party is a company, and a data subject is an individual/human client/customer.
Responsible parties are required by POPIA, in their collection and processing of personal information, to comply with eight conditions.
These conditions are recognised by the Act as the cornerstones of achieving integrity, transparency and responsibility in as far as lawful collection and processing of personal information is concerned. These conditions can be summarised as:
While the conditions mentioned above may be easy at face value, the challenging part is how a responsible party can achieve these.
Our best advice is to seek legal assistance to alleviate risks involved in the process which is fraught with legal and technical hurdles.
However, on a general note responsible parties are advised to have an office/individual responsible for compliance of data collection and processing systems, who will then embark on training staff about their obligations with regards to POPIA.
This will need having a data breach and recovery plan in place, consent documentation, privacy notices and an overhaul of the information system to recognise and fully comply with the eight conditions mentioned above.
The processes described above are fraught with legal and technical considerations which must strictly be adhered to, and legal assistance from our able attorneys will make the process easier, faster, and secure.
We stand ready to comprehensively assist you in that regard as well as numerous other areas of law. Please contact us for more information.
The information contained in this site is provided for informational purposes only, and should not be construed as legal advice on any subject matter. One should not act or refrain from acting on the basis of any content included in this site without seeking legal or other professional advice. The contents of this site contain general information and may not reflect current legal developments or address one’s situation. We disclaim all liability for actions one may take or fail to take based on any content on this site.
Subscribe to our Newsletter
Estate Agent Training
Bond & Transfer Calculator
Get the latest updates in your email box automatically.