Information Officer registration portal broken - deadline extended

Jan

Who's the Boss?
Staff member
Joined
May 24, 2010
Messages
5,806
Information Officer registration website for POPIA compliance broken — deadline extended

There will be no deadline for registration of Information Officers and Deputy Information Officers; meaning that no responsible party will be held liable for not registering by 30 June 2021.

In a statement released on Tuesday, the Information Regulator said this decision follows technical glitches with the registration portal and numerous concerns raised by responsible parties regarding the registration process.

“The regulator is currently looking into alternative registration processes and will communicate this in due course. We understand that our portal malfunctioning has caused a lot of anxiety and panic and for that we really do apologise,” Chairperson of the Information Regulator, Advocate Pansy Tlakula said.

The registration of a Chief Executive Officer (CEO) as an Information Officer for multiple legal entities has been taken into consideration and it will be permissible.
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
43,167
It has been broken since May 3rd. I have bitched about it since in multiple threads on Mybroadband, and even when you have made a 'manual' submission it is still advised to register on the portal.
 

rvZA

Executive Member
Joined
Jan 3, 2021
Messages
5,103
We always knew it was not going to work, any system they implement does not work, much like the POPI Act itself won't work either. Not interested in this act or the regulator's office at all.
 

ghostRgg

Expert Member
Joined
Sep 5, 2019
Messages
1,244
What do you mean? GDPR is prescribed to EU law.
I meant in a more indirect way. GDPR was a great implementation and a start to the whole data protection laws we see around the world, while our own version (I know we can't just copy-paste) has had issue after issue going for it.
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
43,167
I meant in a more indirect way. GDPR was a great implementation and a start to the whole data protection laws we see around the world, while our own version (I know we can't just copy-paste) has had issue after issue going for it.

What are the issues?

I would say the biggest issue is businesses being unwilling to be compliant. There are businesses who don't agree with these privacy laws, many being under the impression that it will impact their reach. Many companies who rely on cold-calling techniques and practices would ignore this law straight up.

Then there is the compliance issue. You can pursue GDPR guidelines to meet most POPIA requirements, but the big issue at this time is registering on the portal, though you can register through other means they still demand portal registration, and then there is the department issued guidelines which are still absent at this time.

Most big companies would seek compliance through their 'legal' partners in any case. It is the small businesses, which is, again, being cast aside to sort it out by themselves.

There are POPI tools which can help businesses to advance towards compliance, but it does not cover the legal requirements in terms with best practices and other conveyance or transactional processes, amongst various other legal mechanisms, all which should be stipulated in a guideline.
 

ghostRgg

Expert Member
Joined
Sep 5, 2019
Messages
1,244
Most big companies would seek compliance through their 'legal' partners in any case. It is the small businesses, which is, again, being cast aside to sort it out by themselves.

There are POPI tools which can help businesses to advance towards compliance, but it does not cover the legal requirements in terms with best practices and other conveyance or transactional processes, amongst various other legal mechanisms, all which should be stipulated in a guideline.
Basically covered my issues with it. Small businesses. I have no issues with the act and compliant with it. It's just there being very little information out there regarding the legal requirements, not every business has a legal team who can just get handed the task.

Just started going through the whole act and find it frustrating to get through and all the legalities like you said, but we just have to. Eventually, I will get it right, just found my brain darting all over the place. Once I have a good understanding, will bring it up with somebody who knows more about it and can assist.

Do you know if the workshops are worth it?
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
43,167
Basically covered my issues with it. Small businesses. I have no issues with the act and compliant with it. It's just there being very little information out there regarding the legal requirements, not every business has a legal team who can just get handed the task.

Just started going through the whole act and find it frustrating to get through and all the legalities like you said, but we just have to. Eventually, I will get it right, just found my brain darting all over the place. Once I have a good understanding, will bring it up with somebody who knows more about it and can assist.

Do you know if the workshops are worth it?

I would say that workshops are recommended. I know that 'eLearning' public/private workshops are also being hosted now.
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
29,399
I can't see this ever working correctly. The SASSA portal has been up for the better part of a year and you still can't register or apply. They've now enlisted a third party app, gov-something, which itself could be a POPIA violation.

What's seen as processing of information in any case and when do you require prior authorisation? How will it be enforced when no previous laws have been?
 

RonSwanson

Executive Member
Joined
May 21, 2018
Messages
6,832
What are the issues?

I would say the biggest issue is businesses being unwilling to be compliant. There are businesses who don't agree with these privacy laws, many being under the impression that it will impact their reach. Many companies who rely on cold-calling techniques and practices would ignore this law straight up.

Then there is the compliance issue. You can pursue GDPR guidelines to meet most POPIA requirements, but the big issue at this time is registering on the portal, though you can register through other means they still demand portal registration, and then there is the department issued guidelines which are still absent at this time.

Most big companies would seek compliance through their 'legal' partners in any case. It is the small businesses, which is, again, being cast aside to sort it out by themselves.

There are POPI tools which can help businesses to advance towards compliance, but it does not cover the legal requirements in terms with best practices and other conveyance or transactional processes, amongst various other legal mechanisms, all which should be stipulated in a guideline.
Yes, a culture of non-compliance. Certainly one of the main ones, and one that will cost SA dearly in foreign revenue through loss of jobs. And it's evolving, look at Schrems II.

Then there is the law itself:
1. Even GDPR does not consider a MSISDN, EIC, ICCID etc. on its own to be PII, yet POPI does;
2. POPI has the lofty goal of protecting both non-jusristic as well as jusristic persons, GDPR does not;
3. The opt-out (to advertising) by default is a no-brainer, yet POPI allows it?
These, along with your first point, are some of the main issues with POPI.
 

TedLasso

Expert Member
Joined
Feb 23, 2016
Messages
2,352
Yes, a culture of non-compliance. Certainly one of the main ones, and one that will cost SA dearly in foreign revenue through loss of jobs. And it's evolving, look at Schrems II.

Then there is the law itself:
1. Even GDPR does not consider a MSISDN, EIC, ICCID etc. on its own to be PII, yet POPI does;
2. POPI has the lofty goal of protecting both non-jusristic as well as jusristic persons, GDPR does not;
3. The opt-out (to advertising) by default is a no-brainer, yet POPI allows it?
These, along with your first point, are some of the main issues with POPI.
Explain point 3 please. Am a bit confused by it
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
29,399
GDPR by default assumes opt-out from spam. There has to be an explicit agreement to receive it.
Afaik POPIA as well. Issue is enforcement as the other laws which also assume opt-out were never enforced. Company contacts me saying they need my permission to contact me. I keep quiet. They contact me again saying I didn't give permission and they need it to contact me.
 

rambo919

Honorary Master
Joined
Jul 30, 2008
Messages
17,258
Basically covered my issues with it. Small businesses. I have no issues with the act and compliant with it. It's just there being very little information out there regarding the legal requirements, not every business has a legal team who can just get handed the task.
I can see most people just not bothering with trying to get compliant.

Most small business is not compliant with many things like workmans comp and ufiling.... why? Because the bloody sites are broken since a year or so ago and no one can get anything done unless they are extremely lucky.
 

rvZA

Executive Member
Joined
Jan 3, 2021
Messages
5,103
Afaik POPIA as well. Issue is enforcement as the other laws which also assume opt-out were never enforced. Company contacts me saying they need my permission to contact me. I keep quiet. They contact me again saying I didn't give permission and they need it to contact me.

If you do not explicitly inform them not to contact you, it simply means you have said nothing and kept quiet. The IR will close a case like this and inform you on the next occassion you get a call, to make use of the act and tell them to remove you.
 

Emjay

Honorary Master
Joined
Jun 18, 2005
Messages
11,741
We always knew it was not going to work, any system they implement does not work, much like the POPI Act itself won't work either. Not interested in this act or the regulator's office at all.

Working on a tricky project that entails hand over of customer data. POPI is a minefield and provides zero guidance on what is correct, and what is not. It's actually impacting our project, and even putting some of us at risk because we have to handle customer data. We have to spend money on POPI specialists to give us some guidance.

The entire thing is just so badly implemented. If the Government cannot even have its own house in order, how does it expect everyone else (who don't have the same resources) to comply?

This is why I believe all large governments should fall. They cause more problems than they answer imo.
 

TedLasso

Expert Member
Joined
Feb 23, 2016
Messages
2,352
Afaik POPIA as well. Issue is enforcement as the other laws which also assume opt-out were never enforced. Company contacts me saying they need my permission to contact me. I keep quiet. They contact me again saying I didn't give permission and they need it to contact me.
My understanding was something like this

1. I try to 're-consent' my database e.g. 400 people. I send email to all 400, 300 don't respond - they are considered to be opted-out. We can't contact them again. Lawyers in many POPIA meetings I attended recommended never to re-consent your database.

The way we doing it, is we are not asking for consent. Our privacy policies state exactly how and what we use PI for based on the different types of Data subjects we have. If we send a marketing email, there is always an unsubscribe option including a link to our privacy policy. If customer clicks on the link to unsubscribe and follows through, the CRM system automatically updates their record and we can't send email again, unless customer opts in again. For opt in, this time they need to do it via digital signature in a Face to Face Setting. Our target market is health care professionals.

Another thing our CRM also does is if we send an email to someone who was consented and the email bounces, that customer is automatically opted out.

Edit: One of the important bits, is that your opt-out process must be bullet proof. Ensure that if some opts -out , that you never send them an email again for example. Non-compliance of the wish of the data subject here is what's going to get many companies in trouble when the IR does come knocking. I have a feeling as much as the IR is not ready, they going to look to make an example of someone to show they have teeth ... i always just hope it's not going to be my Company (or I am in ****!)
 
  • Like
Reactions: Swa

Swa

Honorary Master
Joined
May 4, 2012
Messages
29,399
If you do not explicitly inform them not to contact you, it simply means you have said nothing and kept quiet. The IR will close a case like this and inform you on the next occassion you get a call, to make use of the act and tell them to remove you.
Not under the previous act, can't even remember which one it is. The irony is they say they need my consent to contact me. Then again tell me because I didn't consent the first time they need my consent to contact me. It's loopholes such as this that will make it fail.
 
Top