The Protection of Personal Information (POPI) Act has been signed into law by the President on 19 November 2013. Once the Act is made effective, companies will be given a year’s grace period to comply with the Act, unless this grace period is extended as allowed by the Act. This article is an overview of how businesses in South Africa can ensure compliance with the POPI.
This article was published by Melanie Hart of Fasken Martineau who has agreed to Simmons & Simmons making it available on elexica.
The Protection of Personal Information Act has an impact on all business within South Africa. Read more to understand how business can ensure compliance with POPI.
The Information Regulator has published Regulations in terms of the Protection of Personal Information Act, 4 of 2013 (POPI)
The Regulations comprise a number of prescribed forms as annexures. These include forms which may be used by the data subject to lodge an objection to processing of personal information to the responsible party; to correct or delete personal information as held by the responsible party and to submit a complaint to the Regulator.
There is also a prescribed form setting out an application for the consent of a data subject for the processing of personal information for the purpose of direct marketing.
The Regulations also stipulate the obligations of the information officer, which include: ensuring a compliance framework and adequate measures to comply with the conditions for the lawful processing of personal information and updating the manual published in terms of the Promotion of Access to Information Act to address various aspects of processing in terms of POPI.
A private or public body which represents a class of bodies, industry, profession or vocation may apply to the Regulator for codes of conduct to be issued which stipulate a standard for POPI compliance within that particular class, industry, profession or vocation.
The Regulations also set out the powers of the Regulator when conducting a pre-investigation and handling an investigation in relation to allegations of interference with the protection of the personal information of a data subject.
The publication of the Regulations may be a sign that commencement of the remaining provisions of POPI is imminent.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.