Final POPI Act Regulations published - what you should know

Final POPI Act Regulations published - what you should know

Final POPI Act Regulations published - what you should know

Businesses operating in South Africa are presently facing the enactment of the Protection of Personal Information Act 4 of 2013 (POPI Act) and accompanying Regulations.

During December 2018, the final POPI Act Regulations were published by the Information Regulator. Compliance with the POPI Act will soon be mandatory for all organisations in South Africa. Although the final POPI Act Regulations have been published, the commencement date still needs to be determined by the Information Regulator. We will keep you updated in this regard.

What are the objectives of the POPI Act?

The main objectives of the POPI Act are to control the processing of personal information and provide data protection in a robust effort to align all South African data protection laws with international standards.

The POPI Act Regulations do not provide practical guidance on how to comply with the POPI Act. Although there are no clear controls, the responsible party remains accountable for adhering to the conditions applicable to their specific workplace and industry.

What documentation relates to the processing of information as per the POPI Act?

The recently published regulations contain a number of prescribed forms relating to the processing of information, for example–

  • a form for raising objections to the processing of personal information;
  • requests for the correction or deletion / destruction of personal information;
  • an application for issuing a code of conduct;
  • a request for the data subject’s consent to process personal information for the purposes of direct marketing;

* Section 6 of the POPI Act Regulations specifically addresses the consent for processing personal information. The Regulations are vague on the specific method or prescribed form in different situations, but this section deals with the consent for direct marketing by electronic communications only. This means that you do not need to obtain written consent for every data subject. You only need a record of some form of consent, which includes voice recordings.

  • a submission of complaint, appeal, enforcement and assessments;
  • a form for the Regulator acting as conciliator during investigation;
  • pre-investigation proceedings of the Regulator;
  • a form for informing the parties of developments regarding investigations, etc.

What are the responsibilities of an Information Officer as per the POPI Act?

The responsibilities of the Information Officers are also set out in more detail and include the development of a compliance framework amongst other duties. Below find a list of responsibilities for the Information Officer. The Regulator included a section on the responsibilities of the Information Officers and emphasises 5 (five) key responsibilities:

  • The Information Officer must ensure that a compliance framework is developed, implemented monitored and maintained in line with the conditions of the POPI Act.
  • The Information Officer must ensure that a personal information assessment is conducted so that adequate measures and standards are applied.
  • The Information Officer must ensure that a manual is developed, monitored, maintained and made available as prescribed by the Promotion of Access to Information Act (PAIA).
  • The Information Officer must ensure that internal measures are developed, with a system to process requests or access to information.
  • The Information Officer must ensure that internal (staff and management) awareness sessions are conducted.

Whilst the main focus of the POPI Act is on compliance, our approach at SERR Synergy is to implement compliance in such a way that it provides business value to our clients and allows for improvement in efficiencies and effectiveness by meeting the compliance requirements.

About the Author: Retha van Zyl completed her BCom Hons (Economics and Risk Management) studies at the North West University. She joined our team in January 2016 and currently holds the title ‘Information Compliance Advisor’. She specialises in POPI and PAIA compliance, which includes compiling and submitting PAIA manuals to the Human Rights Commission. She also compiles and implements Information Security Management System (ISMS) to identify risks associated with information security in each department within an organisation.


You May Also Like

Direct Marketing vs the Consumer Protection Act and POPI Act (part 2)
June 14, 2018
Last week we dealt with the definition of direct marketing and whether a consumer can restrict a supplier from communicating directly with him/her.
What are the grounds for refusing Access to Information?
September 16, 2019
The Promotion of Access to Information Act (PAIA) was promulgated in 2000 and is intended to give effect to the Constitution, granting any person or Juristic person the right to have access to information.
POPI Act Update – Other sections of POPI Act proclaimed
June 26, 2020
South Africa’s Personal Information Act 4 of 2013 (POPI Act) is implemented in various phases and the provisions dealing with the appointment and powers of the Information Regulator were already implemented two years ago. 
Online Resource & News Portal