Final POPI Act Regulations published - what you should know

Final POPI Act Regulations published - what you should know

Final POPI Act Regulations published - what you should know

Businesses operating in South Africa are presently facing the enactment of the Protection of Personal Information Act 4 of 2013 (POPI Act) and accompanying Regulations.

During December 2018, the final POPI Act Regulations were published by the Information Regulator. Compliance with the POPI Act will soon be mandatory for all organisations in South Africa. Although the final POPI Act Regulations have been published, the commencement date still needs to be determined by the Information Regulator. We will keep you updated in this regard.

What are the objectives of the POPI Act?

The main objectives of the POPI Act are to control the processing of personal information and provide data protection in a robust effort to align all South African data protection laws with international standards.

The POPI Act Regulations do not provide practical guidance on how to comply with the POPI Act. Although there are no clear controls, the responsible party remains accountable for adhering to the conditions applicable to their specific workplace and industry.

What documentation relates to the processing of information as per the POPI Act?

The recently published regulations contain a number of prescribed forms relating to the processing of information, for example–

  • a form for raising objections to the processing of personal information;
  • requests for the correction or deletion / destruction of personal information;
  • an application for issuing a code of conduct;
  • a request for the data subject’s consent to process personal information for the purposes of direct marketing;

* Section 6 of the POPI Act Regulations specifically addresses the consent for processing personal information. The Regulations are vague on the specific method or prescribed form in different situations, but this section deals with the consent for direct marketing by electronic communications only. This means that you do not need to obtain written consent for every data subject. You only need a record of some form of consent, which includes voice recordings.

  • a submission of complaint, appeal, enforcement and assessments;
  • a form for the Regulator acting as conciliator during investigation;
  • pre-investigation proceedings of the Regulator;
  • a form for informing the parties of developments regarding investigations, etc.

What are the responsibilities of an Information Officer as per the POPI Act?

The responsibilities of the Information Officers are also set out in more detail and include the development of a compliance framework amongst other duties. Below find a list of responsibilities for the Information Officer. The Regulator included a section on the responsibilities of the Information Officers and emphasises 5 (five) key responsibilities:

  • The Information Officer must ensure that a compliance framework is developed, implemented monitored and maintained in line with the conditions of the POPI Act.
  • The Information Officer must ensure that a personal information assessment is conducted so that adequate measures and standards are applied.
  • The Information Officer must ensure that a manual is developed, monitored, maintained and made available as prescribed by the Promotion of Access to Information Act (PAIA).
  • The Information Officer must ensure that internal measures are developed, with a system to process requests or access to information.
  • The Information Officer must ensure that internal (staff and management) awareness sessions are conducted.

Whilst the main focus of the POPI Act is on compliance, our approach at SERR Synergy is to implement compliance in such a way that it provides business value to our clients and allows for improvement in efficiencies and effectiveness by meeting the compliance requirements.

About the Author: Retha van Zyl completed her BCom Hons (Economics and Risk Management) studies at the North West University. She joined our team in January 2016 and currently holds the title ‘Information Compliance Advisor’. She specialises in POPI and PAIA compliance, which includes compiling and submitting PAIA manuals to the Human Rights Commission. She also compiles and implements Information Security Management System (ISMS) to identify risks associated with information security in each department within an organisation.


You May Also Like

Business Owner Legal Compliance Checklist
June 08, 2017
Direct Marketing vs The Consumer Protection Act and POPI Act (part 1)
June 07, 2018
What is allowed when approaching consumers with Direct Marketing activities?
The National Credit Act And Zero Registration Threshold
April 20, 2017
To register as a credit provider or not? An overview of the new zero registration threshold applicable to credit providers. The new zero registration threshold applicable to credit providers became effective on 11 November 2016 (see Government Gazette Notice 39981 of 1