South Africa’s new data privacy laws take effect tomorrow – What you need to know
President Cyril Ramaphosa recently announced that certain sections of South Africa’s Protection of Personal Information Act (POPIA) will take effect from 1 July 2020.
The Act has been put into operation incrementally, with a number of sections of the Act having been implemented in April 2014.
While sections 110 and 114(4) of the Act will only be implemented on 30 June 2021, a number of sections will take effect from tomorrow.
These concern the following issues, amongst others:
- Lawful processing of personal information.
- Procedure for dealing with complaints.
- Restrictions around direct marketing via unsolicited electronic communications.
- Code of conduct issued by the Information Regulator.
“The Act is fundamental in safeguarding persons’ personal information and thus protecting them against data breaches and theft of personal information,” Ramaphosa said upon confirming the commencement date.
Protecting consumer information
POPIA focuses greatly on consumers’ right to privacy, requiring the secure and local storage of customer information.
The processing of this data can only be completed under specific conditions which balance the right to privacy against other rights – particularly the right of access to information.
Based on this, your personal information can be disclosed under a number of circumstances.
The circumstances under which private data can be processed include the following cases:
- The data subject (the customer or employee) consents to the processing.
- Processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party.
- Processing complies with an obligation imposed by law on the responsible party.
- Processing protects a legitimate interest of the data subject.
- Processing is necessary for the proper performance of a public law duty by a public body.
- Processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
The confirmed commencement dates of these rules mean that businesses now have a set deadline for conformation to all regulations, and those that are unprepared must quickly align their processes with the new regulations.
Readiness of South African businesses
DLA Piper South Africa said the data protection compliance projects across many businesses previously lost steam and have only recently regained momentum.
“Understandably many of these institutions did not allocate resources to conducting POPIA compliance projects, as compliance was seen as a nice to have,” it said.
“Now that POPIA will come into force on 1 July 2020, both public and private bodies are obliged to use the 1 year grace period to get their houses in order to avoid the imposition of sanctions and/or reputational harm due to being non-compliant.”
DLA Piper added that considering the effect of COVID-19 and the national lockdown, the implementation of compliance projects may be overly burdensome.
Due to this, it said that it may not be realistic to expect all institutions to reach a 100% level of compliance by 1 July 2021.
“Therefore, organisations should prioritise during the grace period compliance with those provisions of POPIA for which a fine may be imposed for a first offence, for example, failing to comply with the prior authorisation requirements under POPIA,” DLA Piper South Africa said.