There are a couple of things that have to happen before the Act will become a reality for business: The President has to publish a commencement date in the Government Gazette; then businesses will have at least a year to comply; then an Information Regulator will have to be appointed and its office established.
This article from the Consumer Law Review offers valuable guidelines and important information regarding POPI for your business.
Read the full article below, but remember to subscribe to this informative newsletter here – it’s free!
POPI has become law. The Protection of Personal Information Act 4 of 2013 was signed by the President on 19 November 2013. You can download the Act here.
There are a couple of things that have to happen before the Act will become a reality for business:
- The President still has to publish a commencement date in the Government Gazette.
- Once the commence date is published businesses will have at least a year to comply. This grace period may be longer, but at most it will be three years. See s 114.
- Before the Act can become fully operational an Information Regulator will have to be appointed and its office established. This will involve the publication of regulations.
However, a year is not a long time to ensure that a business is POPI compliant. For many businesses the processing of personal information is a core business function, which will make matters worse. For those who are wondering what POPI compliance will look like, the website of the UK Information Commissioner’s Office is a good place to start. It features several checklists and codes of conduct. Also remember our ‘Intro to POPI’ articles which have appeared in the last year. Here they are:
- September 2012: When does PoPI apply? The definitions of ‘personal information’ and ‘processing’.
- October 2012: When is the processing of information lawful? The factual scenarios which justify the processing of personal information.
- November/December 2012: The obligation to inform the consumer of the (explicitly defined) purpose for which the data is being collected.
- January 2013: The role of consent
- July/August 2013: Information security
- August/September 2013: Referral selling – is it ok to ask consumers for the personal information of others?
- October/November 2013: Transborder information flow
(Back issues of the CLR can be accessed by clicking on newsletters on the www.jutalaw.co.za website.)
South Africa is not the only country grappling with data privacy issues. See this interesting article about the drive to adopt stricter rules on data protection in the EU. More information on the existing data protection laws and the current reforms are available on the European Commission’s website. This is a useful source of information given that POPI is based on EU law. We don’t have to reinvent the wheel.
POPI is probably the scariest for direct marketers. POPI has been described as ‘a silver bullet to kill spam’. Not only will they have to contend with the new rules regarding consent and the change from an opt-out to a qualified opt-in system; it also seems that we can expect a new national opt-out registry in 2014.
Elizabeth de Stadler is the editor of the Consumer Law Review and a senior associate at Esselaar Attorneys in Long Street in Cape Town (http://www.esselaar.co.za). The firm specialises in consumer law. She is also a founding director of Novation Consulting (www.novcon.co.za or @NovConSA), a company which specialises in providing regulatory compliance solutions and designing innovative and effective ways to communicate ‘legal’ documents to consumers. Her book, Consumer Law Unlocked (Siber Ink), was published recently. She is the author of a consumer law textbook and a guide to plain language legal drafting, both of which are to be published by Juta Law. She is also the co-author of chapters on the Consumer Protection Act in The Law of Contract in South Africa and The Law of Commerce in South Africa (Oxford University Press).
Look Elizabeth up on our website as one of our subject matter experts.