Dawn of a new era for data privacy in South Africa
South Africa has, from today, entered a new era of data privacy, as the Protection of Personal Information Act (POPIA) finally comes into play.
Following a one-year grace period to comply with POPIA, from 1 July, organisations that do not meet the conditions prescribed by the legislation will now be held liable.
Previously, the enforcer of POPIA, the Information Regulator, did not have teeth to deal with violators of the data privacy law, which was passed in July last year.
The Act has set down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss.
Breaching the rules and regulations outlined by this Act can have serious financial implications for the business – implications that can cost more than money, and have long-lasting consequences.
The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
The purpose of the legislation is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information, by holding them accountable should they abuse or compromise personal information in any way.
Since 2013, SA’s data protection law has been put into operation incrementally, with a number of sections of the Act having been implemented in April 2014.
John Giles, managing attorney at law firm Michalsons, says 1 July 2021 is a milestone in SA.
“For the protection of personal information, we move out of the grace period and into a world where the law [POPIA] is in full force. It is the start of the journey, not the end.
“For access to information, 1 July 2021 is the date the Information Regulator takes over the oversight of the Promotion of Access to Information Act (PAIA) in South Africa.”
Giles says PAIA has been in effect since 2002 but will now have a greater impact with a dedicated regulator to enforce it. The journey continues, he notes.
“We’re turning the tide on criminals who use people’s personal information to harm them. Criminals steal people’s identity so that they can steal their money and incur credit in their names. They use it to discriminate against people, control their behaviour and persuade them into doing things they shouldn’t do. They use it to infringe people’s privacy – a fundamental human right.”
According to Giles, everyone has a duty to protect others from harm.
“We all need to play our part in protecting the personal information of others and thereby looking out for each other. Your customers, employees, suppliers, shareholders and directors are critical to you – look after them. Failing to do so is simply bad for business. Also, if you want to participate in the global data economy, you have to protect personal information.”
Lawful processing of information
Speaking on SABC last night, advocate Pansy Tlakula, chairperson of the Information Regulator, said the new law prescribes the lawful processing of information.
“So anyone who processes personal information will now fall within the ambit of the Act, as to comply with those conditions.”
According to Tlakula, those conditions “include anyone who is processing personal information for another, and they must get the consent of the owner of that personal information and they must use the personal information only for the purpose for which they collected it.
“They must collect minimal personal information – for instance, if you apply for a job, there are certain questions that you cannot be asked; like your sexual orientation, for instance – that will be over-processing. So only minimal information has to be collected.
“And if the information is going to be used for another purpose other than it was originally intended for, then the owner of the information must consent.”
She pointed out that most importantly, whoever collects personal information and processes it must ensure they maintain the integrity and the confidentiality of that information and they must keep it only for the period that they need it for.
“If you think that someone has your personal information without your consent, you can lodge a complaint with the information regulator, or you can put a request to the company that holds your information to confirm that they are holding your personal information and the sort of information that they will be holding. You can even ask them to delete that information.”
Tlakula noted the significance of the 1st of July is that the enforcement powers of the regulator are going to come into effect.
“Before the 1st of July, we could not provide remedies to those whose personal information was processed not according to the provisions of the law.”
Karl Blom, senior associate, and Prineil Padayachy, associate from Webber Wentzel, are of the view that most organisations are not fully prepared for the law; however, “we have seen that many organisations are committed to achieving compliance”.
They point out that POPIA compliance cannot be achieved overnight and there are many South African organisations that are still working towards achieving compliance.
“This is long journey and requires meticulous analysis and a substantial amount of work to ensure that an organisation is compliant with POPIA. It is important to note that compliance with POPIA is an ongoing process and organisations will need to ensure they continue to take steps to ensure they remain compliant with POPIA following 1 July 2021.”
Blom and Padayachy say while the one-year grace period may have been sufficient for most organisations to ensure compliance, ultimately, each company is different and many factors can impact the time needed to ensure compliance.
They explain that this includes, for example, the size of the firm, the nature of its business and processing activities, the complexity of its IT systems and the amount of data it processes.
“There is no shortcut for compliance and the consequences of non-compliance are severe, meaning organisations often require a fair amount of time in order to properly assess and implement measures necessary for POPIA compliance.
“Organisations that are non-compliant should take immediate steps to familiarise themselves with the requirements of POPIA and the impact on their organisations. We suggest that organisations focus on ‘easy wins’, whereby they work towards substantial compliance in the first instance and thereafter focus on more specific issues that take more time to resolve.”