Regulator wants POPIA in force by Q2 2020

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 27 Jan 2020
Advocate Pansy Tlakula, chairperson of the Information Regulator.
Advocate Pansy Tlakula, chairperson of the Information Regulator.

The Information Regulator has written a letter to president Cyril Ramaphosa, requesting to bring the outstanding aspects of the Protection of Personal Information Act (POPIA) into effect.

Responding to ITWeb’s questions on the status of the data privacy law, advocate Pansy Tlakula, chairperson of the Information Regulator, said: “We have requested the president to bring the remaining sections of POPIA into effect in the new financial year. We are waiting for a response. We sent the letter last week.”

This after the Information Regulator's office stated POPIA will commence in the second half of 2020, speaking at the International Conference on Computers, Privacy and Data Protection that took place in Brussels last week.

POPIA was signed by then president Jacob Zuma on 19 November 2013 and published in the Government Gazette on 26 November 2013.

The purpose of the law is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity's personal information by holding them accountable should they abuse or compromise personal information in any way.

When the POPI Act is in force, businesses that don't comply, regardless of whether it’s intentional or accidental, can face severe penalties. The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

However, 17 years after the process of formulating POPIA started, there is still no commencement date for the much-anticipated data protection law in SA.

‘Massive undertaking’

The country is still waiting for the law to become fully operational, while the Information Regulator remains incapacitated to deal with the increasing number of data breaches besetting the country.

POPIA will only commence on a date to be determined by the regulator by proclamation in the Government Gazette.

In December, the Information Regulator published, for comment, draft guidelines to develop codes of conduct under the POPI Act. The submission of comments has since closed.

Francis Cronje, an information governance specialist and contributor to the POPI Act, believes budgetary constraints might be the biggest factor for the delays in implementing POPIA.

He explains the mandate of setting up a new institution tasked with regulating the protection of personal information and promoting access to information is a massive undertaking, starting with the appointment of numerous individuals, subsequent filling of roles, allocation of offices, co-ordinating with international counterparts, drafting of legislative forms, rules, regulations, setting-up of meetings, participating in legal proceedings, etc – all requiring substantial funding.

“The Information Regulator was only appointed late 2016 with a comparatively small budget compared internationally, and subsequent positions on executive level were only filled late 2019.

“It will be, in my opinion, illogical for the Information Regulator to issue commencement of the Act before ensuring a fully functional and operational body.”

Cronje adds: “Having assisted various large and multinational organisations, I am convinced that most large corporates understand the compliance challenges inherent to the Act, as well as the risks associated with data protection globally.”

However, he points out the length of time required to align business processes within these large organisations, and the complexities associated with the Act’s provisions, have caught some of them unaware and probably not in a state of readiness.

According to Cronje, corporates in the fortunate position of having allocated sufficient funds to their privacy programmes over the past couple of years are better prepared and probably ready for the Act.

“On the other hand, we have experienced that smaller organisations do not have the necessary budgets to tackle the challenges head-on and have taken a wait-and-see approach. The implementation or use of compliance software might be part of the solution.”

Powerful data

Cronje points out the passing of the law will mean a lot of things for organisations, of which the most important is probably certainty.

“With the long delays experienced before imminent commencement, smaller organisations have pushed the issue to the background. The consequences thereof are that the consumer still experiences unsolicited direct marketing, unlawful use of their personal information and still suffers the negative consequences of data breaches and theft.

“If organisations do not take accountability for the lawful processing of our personal information, the situation will not change. Commencement of the Act and subsequent enforcement thereof will hopefully oblige organisations to take stock of their legal duty to take up these constitutional and important responsibilities.

“Data can be regarded as the fuel or oil of the so-called fourth industrial revolution. With this immense importance also arrive risks associated with its processing. These risks, not only to organisations, but also to data subjects, cannot and should not be underestimated.

“The responsible and lawful processing of personal data and/or information and its subsequent protection should, therefore, become one of the foremost objectives of organisations and also individuals tasked therewith,” he concludes.