President Cyril Ramaphosa has announced that certain sections of South Africa’s Protection of Personal Information Act (POPIA) will take effect from 1 July 2020.
The Act has been put into operation incrementally, with a number of sections of the Act having been implemented in April 2014.
Some of these sections include those relating to the establishment of the Information Regulator, members of which took office on 1 December 2016.
“Many of the remaining provisions of the Act could only be put into operation at a later stage as they require a state of operational readiness for the Information Regulator to assume its powers, functions and duties in terms of the Act,” Ramaphosa said.
The following sections of the Act will commence on the dates below:
- Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2), and (3) – 1 July 2020
- Sections 110 and 114(4) – 30 June 2021
The sections which will be commenced on 1 July 2020 concern the lawful processing of personal information, the procedure for dealing with complaints, new rules regarding direct marketing via unsolicited electronic communication, and a code of conduct issued by the Information Regulator.
“Section 114(1) is of particular importance as it states that all forms of processing of personal information must, within one year after the commencement of the section, be made to conform to the Act,” Ramaphosa said.
“The Act is fundamental in safeguarding persons’ personal information and thus protecting them against data breaches and theft of personal information.”
Effect on businesses
The POPIA was expected to come into effect from 1 April 2020, but the initial commencement was delayed due to the COVID-19 outbreak.
POPIA will bring about a number of changes to South African businesses.
Citizens will have more control over the processing and privacy of their information, which will result in fewer spam calls and reduced exposure of their personal details to companies.
The provisions which are to be commenced from 1 July may result in “cold calling” no longer being allowed and will impose a significant burden on direct marketers to secure databases of personal information.
Companies will also need to ensure their customer data is processed securely and in line with the regulations, or they will face hefty fines.
Importantly, POPIA includes provisions for the disclosure and processing of personal information.
In cases which fall outside of these categories, personal information may not be processed or disclosed – providing South Africans with protection against companies that would use their personal data unscrupulously.