One year into POPIA - taking stock

South Africa

1 July 2022 marks the one-year anniversary of the Protection of Personal Information Act No 4 of 2013 (“POPIA”) compliance deadline for all organisations, as provided by the government of South Africa. For local organisations, the compliance deadline has imposed various operational and organizational parameters in so far as the processing of personal information is concerned, which has necessitated a compliance drive to bring various business operations in line with the prescripts of POPIA. In this regard, it is imperative that organisations subject to provisions of POPIA, understand the implications of their compliance journey, and with this understanding, put in place systems and measures to manage both their existing and on-going compliance obligations.

Background:

Save for a limited set of provisions of POPIA, which previously became effective in 2013, on 1 July 2020, the remaining operational provisions of POPIA became effective.  However, organisations were granted a one-year grace period within which such organisations were required to bring their operations in line with the provisions of POPIA.

What has happened since POPIA came into effect:

Compliance with POPIA has in certain circumstances necessitated a fundamental shift in so far as the manner in which organisations approach certain aspects of their operations. With this shift has come various challenges in accommodating such a transition e.g. there has been a slow uptake on the registration of information officers, many organisations are yet to put in place and/or update their existing Promotion of Access to Information Manual (“PAIA Manual”) as prescribed by the Promotion of Access to Information Act No 2 of 2000 (as amended) (“PAIA”) read with POPIA etc. Further to the above, there are still issues in the interpretation of certain provisions of POPIA which remains unchartered territory that must be navigated through the use of the appropriate processes and legal mechanisms.

In order to pragmatically address compliance with POPIA, organisations have had to undertake costly exercises in training their staff to comply with POPIA across all of their operations and have had to conduct personal information impact assessments to practically address areas of non-compliance with POPIA within their organisations. In addition, organisations have had to consider their relationship with third parties (i.e. suppliers, customers etc.) to address issues relating to the consent, transfers and sharing of personal information, retention and applicable requirements set out in POPIA while having to navigate the intricacies of the much varied approach to dealing with incidents of data breaches.

Notwithstanding the above, developments in case law relating to Data Privacy have aided organisations in better understanding the compliance requirements set out in POPIA[1]. However, this understanding must be accompanied by practical guidelines to assist organisations in the development and implementation of an appropriate compliance programme that takes into account the needs and operational parameters of a given organisation.

How to Comply:

To address any potential compliance gaps within a business, a number of fundamental steps must be considered and taken to guide an organisation in its compliance journey, which may include:

  • Conducting a gap analysis to determine an organisation’s readiness for POPIA;

  • Undertaking Data Mapping exercises to understand the type of information processed by an organisation and for what purpose such information is processed;

  • Considering the relevant data transfer requirements and how they may affect an organisation’s commercial arrangements with third parties and/or how it manages the sharing of data from an intercompany perspective;

  • Updating the PAIA manual to accord with the relevant requirements set out in PAIA (as amended) and POPIA;

  • Developing a culture of privacy by:
    • Conducting an awareness campaign in the organisation;

    • Training staff; and

    • Updating the relevant organisational policies.

  • Updating customer and supplier contracts to ensure they accord with the relevant requirements set out in POPIA;

  • Preparing the relevant consent and notification documentation;

  • Implementing a system for Data Subject access management; and

  • Preparing and updating a Data Breach Incident Response Plan.

The abovementioned steps are useful in establishing certain best practices in an organisation’s POPIA compliance journey, however, the POPIA compliance journey is not an idle one as it triggers various on-going obligations that necessitate a constant review of organisational processes to ensure that they do not fall short of the requirements set out in POPI.

What to expect?

In recognition of the one-year anniversary of POPIA, CMS will be publishing a series of articles to take stock of the relevant developments since the enactment of POPIA, which will broadly deal with:

  1. The Role of Employees in Data Protection Compliance Programmes;

  2. Understanding Personal Information Impact Assessments;

  3. The Management of Data Transfers;

  4. Notifications and disclosures of Processing Activities;

  5. Understanding the various types of Cyber Risk; and

  6. A broad account of Data Breaches.

Understanding the intricacies and implications of the requirements set out in POPIA will require active engagement and consultation on the part of organisations to test their operations against the prescripts of POPIA. It is not sufficient for organisations to deal with their obligations in terms of the Act on a theoretical basis alone, as the requirements relating to various organisations may differ on a case-by‑case basis. Compliance with the present and on-going obligations with POPIA must be accompanied by a practical process that allows organisations to meaningfully measure compliance and identify/address the deficiencies identified using a pragmatic and methodical approach.

Zaakir Mohamed (Director, Head of Corporate Investigations and Forensics, CMS South Africa)

Savanna Stephens (Senior Associate, Corporate and Commercial, CMS South Africa)

Mawande Ntontela (Associate, Corporate Investigations and Forensics, CMS South Africa)



[1]Discovery Ltd and Others v Liberty Group Ltd (21362/2019) [2020] ZAGPJHC- developed our understanding of the principles relating to data ownership.