On 22 June 2020, two important commencement dates were announced for the remaining sections of the Protection of Personal Information Act (POPIA or the Act). Sections 2 to 38; sections 55 to 109; section 111; and section 114(1), (2) and (3) will commence on 01st July 2020. Sections 110 and 114(4) commence on 30th June 2021.
Vital sections commence on 01st July 2020, including those pertaining to:
- the eight conditions for the lawful processing of personal information;
- the prohibition and general authorisation concerning the processing of special personal information;
- where authorisation is required from the Regulator prior to processing;
- direct marketing by means of unsolicited electronic communications;
- the transfer of personal information outside the Republic;
- offences, penalties and administrative fines; and
- general enforcement.
Section 114(1) is particularly important, as this section provides a grace period of one year for all entities, public and private, to ensure compliance with the Act by 01st July 2021. Ideally, efforts should already be underway to comply with the Act and give effect to the rights of individuals. While one year may seem like a long time, POPIA requirements are quite onerous and time consuming to implement.
The eight conditions for lawful processing that safeguard the privacy and integrity of data subjects can be summarised as follows:
i. accountability: which requires that the responsible party complies with all the conditions for lawful processing;
ii. processing limitation: requiring that personal information only be processed in a fair and lawful manner and with the consent of the data subject;
iii. specific purpose: personal information may only be collected for a specific, explicitly defined and lawful purpose related to the activity in question;
iv. further processing limitation: personal information may not be processed for a secondary purpose, unless it is compatible with the original purpose;
v. information quality: the personal information collected must be complete, accurate, not misleading and updated where necessary;
vi. openness: the data subject must be aware that personal information is being collected and the purpose for which it is collected;
vii. security safeguards: appropriate safeguards must be put in place to protect against loss, unauthorised destruction or unlawful access;
viii. data subject participation: a data subject has the right to request access to the personal information and request correction or deletion thereof, where applicable.
Failure to comply with the Act can result in a fine of up to R10 million or imprisonment for up to 10 years, or both. Fines aside, the consequences of non-compliance with POPIA requirements can be severe, including huge reputational damage. Estimates by IBM have put the average cost of a data breach at R66.5 million. The implementation of privacy programmes will mitigate potential harm.
This article has been written by Clea Rawlins, an Associate in the Commercial Department of Garlicke & Bousfield Inc
NOTE: This information should not be regarded as legal advice and is merely provided for information purposes on various aspects of commercial law.