No extension to POPI Act grace period, says info regulator
The one-year grace period given to South African organisations to comply with the Protection of Personal Information Act (POPIA) will not be extended.
So said advocate Pansy Tlakula, chairperson of the Information Regulator, in an e-mail interview with ITWeb.
According to Tlakula, the Information Regulator is in the process of making final preparations for SA’s data privacy law that is set to kick in on 1 July.
Since 2013, SA’s data protection law – POPIA – has been put into operation incrementally, with a number of sections of the Act having been implemented in April 2014.
On 1 July 2020, the Act as a whole came into effect. However, local companies were given a one-year grace period to comply with the law.
The purpose of the legislation is to ensure all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information, by holding them accountable should they abuse or compromise personal information in any way.
Businesses that don't comply with POPIA, regardless of whether it’s intentional or accidental, can face severe penalties. The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
“The grace period provided for in section 114(1) of POPIA will come to an end on 1 July 2021 and this period will not be extended,” says Tlakula.
She adds that responsible parties (organisations) are required to comply with the provisions of Chapter 3 of POPIA, which contains the conditions for the lawful processing of personal information.
“We do not intend to repeat what is stated in the Act; however, in a nutshell, responsible parties must ensure a compliance framework is developed, implemented, monitored and maintained.
“A personal information impact assessment must also be done to ensure adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.”
She also points out that a manual must be developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act, 2000 (Act No 2 of 2000), while internal measures are developed together with adequate systems to process requests for information or access thereto.
The regulator also urges organisations to have in place internal awareness sessions regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the regulator; and where necessary, authorisation or exemptions are obtained from the regulator prior to 1 July 2021.
Law firm Webber Wentzel explains that POPIA allows the Information Regulator to grant an exemption from certain conditions for processing personal information in certain circumstances.
It notes the Information Regulator may grant an exemption to a responsible party to process personal information (even if the processing breaches one of the eight conditions for lawful processing contained in POPIA) if the regulator is satisfied that the public interest outweighs any interference with the privacy of the data subject, or the processing involves a clear benefit to the data subject or a third-party, and that benefit outweighs any interference with the privacy of the data subject.
“Personal information processed to discharge a relevant function is exempt from certain provisions of POPIA, to the extent that applying those provisions would be likely to prejudice the proper discharge of that function,” says Webber Wentzel.
“An example of a relevant function is where an organisation processes personal information to protect members of the public against financial loss caused by the dishonesty, malpractice, or improper conduct of certain corporate or professional bodies,” it adds.