Era Gunning of ENSafrica in Johannesburg considers how to prepare for POPI, South Africa’s privacy law


August 20 2013: The South African National Assembly passes the Protection of Personal Information Bill [B9D of 2009] (“the Bill”) to give effect to the constitutional right to privacy.

November 19 2013: The Bill is signed into law by President Jacob Zuma and gazetted as the Protection of Personal Information Act 4 of 2013 (POPI).

April 11 2014: Certain provisions relating to the establishment of the Information Regulator (“the Regulator”) and the making of regulations under POPI are brought into force.

July 24 2015: Parliament calls for nominations for candidates for five positions within the Regulator.

April 13 2016: The Portfolio Committee on Justice and Correctional Services (“the Committee”) shortlists 10 candidates for positions within the Regulator.

May 17 2016: The Committee recommends that Adv. Pansy Tlakula be appointed as chairperson and four other candidates as members of the Regulator.


What’s next?

The National Assembly needs to approve the appointment of the recommended candidates. It is expected that this will happen after the local elections in August 2016. The POPI Regulations will then be published and the Act will come into force on a date to be announced by the President.

“Responsible parties” (public or private bodies or any other person which, alone or with others, determine the purpose of, and means for, processing personal information) will then have a one-year transitional period before having to comply with POPI.

The Regulator will have extensive powers, and any person alleging interference with the protection of personal information of a data subject (the person to whom the information relates) may submit a complaint.

The Regulator may then assist the parties to reach a settlement or investigate the complaint and, after considering its Enforcement Committee’s recommendations, issue an enforcement notice. Failure to comply with this notice is an offence, which may lead to a fine of up to R10-million or imprisonment for up to 10 years, or both.

Responsible parties must comply with the eight conditions for processing personal information set out in chapter 3 of POPI. In addition, certain responsible parties, such as those who process information for the purposes of credit reporting, must obtain prior authorisation from the Regulator before processing personal information. Failure to do so is an offence, punishable by a fine or imprisonment of up to 12 months, or both. Responsible parties must also appoint information officers, who must be registered with the Regulator.

What to do now?

We estimate that POPI will come into force around the last quarter of 2017. It is therefore essential that companies use the next year or so to conduct POPI audits and put POPI policies in place.

ENSafrica has a specialised POPI compliance team and the firm’s POPI Toolkit can assist companies to meet POPI's requirements. The firm also offers in-house tailored POPI workshops and information officer training courses.


About the author

Era Gunning is a senior associate in ENSafrica’s banking and finance department. She is admitted as an attorney of the High Court of South Africa and as a solicitor of the Supreme Court of New South Wales, Australia.