South Africa’s Protection of Personal Information Act (POPIA) was initially set to take effect from 1 April 2020, but this date was delayed due to the coronavirus outbreak in the country. Seven years since the enactment of POPIA, President Cyril Ramaphosa issued a statement on 22 June confirming that POPIA will finally come into force on 1 July 2020, with the exception of some provisions coming into force on the 30 June 2021. What does this mean for South African businesses and what comes next?
DLA Piper South Africa’s Director Monique Jefferson and Associate Savanna Stephens unpack key questions that provide insight to South Africa’s readiness to comply, next steps and the realities that will accompany businesses journeys to POPIA compliance.
1. What the state of readiness to comply in SA is and why this is?
With the delayed full commencement of POPIA since April 2014, the data protection compliance projects across many businesses began to lose steam and these projects have only recently regained momentum. We have, however, seen many global organizations embark on data protection compliance projects as a result of their compliance obligations under the EU’s General Data Protection Regulation. Therefore, many of these organizations have initiated and implemented measures that take into consideration the local nuances applicable under POPIA. Understandably many of these institutions did not allocate resources to conducting POPIA compliance projects, as compliance was seen as a nice to have. Now that POPIA will come into force on 1 July 2020, both public and private bodies are obliged to use the 1 year grace period to get their houses in order to avoid the imposition of sanctions and/or reputational harm due to being non-compliant.
2. What next steps organizations can take to ensure that they are compliant in the next year?
- Conduct a POPIA readiness assessment (Gap Analysis) of the organizations’ operations and processing activities to determine the level of compliance and identify the gaps and where measures should be implemented to comply with POPIA.
- Conduct a data mapping exercise to determine the flow of personal information within the organization and externally to and from third parties, located within South Africa and outside of South Africa;
The key areas that most organizations target in respect of compliance are:
- Implementation of technical and organizational measures to protect and prevent unauthorized access and acquisition of personal information;
- Reconsidering and/or putting in place measures for identified transborder flows of personal information – seeking prior authorization of the Information Regulator where necessary and implementing data transfer agreements;
- Developing a culture of privacy through training of staff, updating and implementing policies and procedures and rolling out awareness campaigns;
- Reviewing and updating all customer, client, supplier and third party agreements;
- Preparation of consent documents and privacy notices;
- Implementation of a data breach/incident response plan and policy;
- Implementation of a system for the management of data subject access rights in terms of POPIA and PAIA.
3. Is one year a realistic expectation in light of COVID-19 – because reality is there will probably be organizations that don’t reach that level of 100% compliance?
Institutions have been aware of the existence of POPIA for quite some time and have received warning from the Information Regulator to take steps to comply with POPIA in the interim. However, in light of the unprecedented times that we find ourselves in, the implementation of any projects may be overly burdensome on institutions and it may in certain instances not be realistic to expect institutions to reach a 100% level of compliance by 1 July 2021. There are two points of comfort for such entities, (i) the grace period may be extended by the Information Regulator, this could be due to lack of operational readiness by 30 June 2021; and (ii) most of the offences for non-compliance do not result in immediate sanction, rather a process is followed to issue a compliance order and then enforcement notice for such organization to comply with. Therefore, organizations should prioritise during the grace period compliance with those provisions of POPIA for which a fine may be imposed for a first offence, for example, failing to comply with the prior authorization requirements under POPIA.
4. With organizations like SARS working to move to auto-assessments, will this not be a challenge/barrier to sharing information for instance when SARS sources information from banks? How will this work in such a way that there is POPI compliance?
POPIA does not seek to create barriers for the sharing of personal information, rather the objective is to ensure the protection of personal information that is processed from unauthorized access and acquisition and to provide data subjects with certain rights so that they are able to object to, request for updates, request for deletion, destruction, return or copies of their personal information that is processed by an organization. Responsible parties may process personal information so long as there is an appropriate justification in law for such processing, which includes the sharing of personal information with the consent of the data subject. In the present circumstances, the following justifications can be relied on for the sharing of information with SARS for purposes of the auto-assessments (i) the customer consents to its bank sharing its personal information with SARS or any other specified third party, (ii) the bank is required by law to report certain tax related information it holds to SARS; and (iii) SARS is required to obtain the requisite information relating to the data subject to perform its legal obligations. To ensure that the personal information is transferred between parties in a secure manner, a data sharing agreement may be entered into between SARS and the banks regarding the transfer of all clients’ data for the execution of auto-assessments. Notably the auto-assessment will also be regulated by the rights granted to data subjects in respect of the automated decision making relating to a data subject that has substantial legal effects on such data subject