Regulator makes steady progress on POPI Act
The Information Regulator is making steady progress towards the effective implementation of the Protection of Personal Information Act (POPIA).
Yesterday, the regulator published the draft POPIA regulations and invited people to comment on them by 7 November.
Establishing the Information Regulator was one of the conditions set out in POPIA. The Information Regulator functions in accordance with the Act and the Promotion of Access to Information Act. The Act stipulates the regulatory body has to exercise certain powers, and perform certain duties and functions.
Ultimately, the regulator must monitor and enforce compliance of public and private bodies in terms of the Act.
Law firm Michalsons says the draft regulations are largely administrative in nature and do not help people to interpret POPIA or make it easier for them to comply.
There are no clear controls and the accountability is still left with the responsible party to apply the conditions to their circumstances, the law firm says.
"This is very much in line with what we have been saying for years - the regulations are not going to substantially change what you must comply with," it notes.
The South African Information Regulator has indicated the effective date for full promulgation of POPIA will likely be early 2018, following which all organisations will have one year to become compliant.
Consultancy firm Deloitte says the publication of the draft regulations indicates the timelines set by the regulator are on track.
"Based on our experience in implementing privacy and data protection projects across a range of organisations in Africa, and taking into consideration global privacy best practice, organisations should endeavour to become 'regulator ready' within, at the very least, the next 18 months," says Daniella Kafouris, associate director at Deloitte.
"Our experience has shown that potential risks and resources must be factored into any rollout plans to mitigate the risks in respect of the handling of personal information."
In June, the regulator published its 2017-2020 Strategic Plan which sets out the regulator's vision, mission, values and mandates. The plan further sets out the regulator's strategic objectives to be achieved over the next four years.
Deloitte believes that essentially POPIA will eventually become "business as usual" within an organisation's culture, processes, procedures and information governance framework.
It points out organisations need to take advantage of the 12-month grace period, because the delay in ensuring processes are implemented to become POPIA compliant, especially where shortcomings have not been quantified, can increase costs exponentially.
"Being 'regulator ready' is a driver for overall business growth and sustainability regardless of the industry or sector within which an organisation operates," adds Kafouris.
"The failure by any organisation to be 'regulator ready' timeously constitutes a slippery slope towards non-compliance with POPIA, potentially attracting fines from the regulator of up to R10 million per breach, or the imposition of imprisonment for a period not exceeding 10 years, depending on the level of non-compliance."
The Information Regulator has extensive powers to investigate and fine responsible parties, says law firm Michalsons.
Data subjects will be able to complain to the Information Regulator and it will be able to take action on behalf of data subjects, Michalsons notes. It reports to Parliament and is the South African equivalent of the information commissioner in the UK.
POPIA was signed by the president on 19 November 2013 and published in the Government Gazette on 26 November 2013.
On 10 May 2016, the Portfolio Committee on Justice and Correctional Services shortlisted five candidates for the office of Information Regulator.
On 17 May 2016, former IEC chairperson, advocate Pansy Tlakula, was recommended as chairperson of the newly-formed Information Regulator, and her appointment was confirmed by the president on 26 October 2016.
On 26 October 2016, the president, in terms of section 39 of the Protection of Personal Information Act, 2013 and on the recommendation of the National Assembly, appointed members of the Information Regulator with effect from 1 December 2016.
According to the office of the regulator, the regulations pertaining to the Act will be tabled before Parliament by the end of the year.