Privacy, Policies and POPIA

Seven years after the initial promulgation of the Protection of Personal Information Act (“POPIA”), most of its provisions have finally been enacted. As of 1 July 2020, the South African public and private sector had 365 days to become POPIA compliant and the clock is ticking! POPIA is a piece of legislation that will need to be one of the major pillars in any compliance exercise in any organisation. There are very limited sectors that will escape possible scrutiny in terms of POPIA.

In terms of international best practice, the notion of Privacy by Design will be one of the cornerstones of any POPIA compliance project within an institution or entity. This means that the starting point when developing any system or policy or procedure is ensuring that privacy protection is entrenched within the system itself. All technologies and organizational structures need to protect the privacy of the data subjects connected to that entity by default. Therefore, it is important that from now, any new systems that a company may adopt, or purchase are implemented with privacy protections in place. An audit of all the systems that are already in place will also need to be done to ensure that the company or entity does not fall foul of POPIA.

This is a project that needs to be undertaken in a methodical manner and should not be left to the last minute, that is for June 2021! It is our belief that there is ample time for companies to implement the Privacy by Design principles in time for compliance to be mandatory. It is however important to consult with professionals regarding the requirements because each business and institution will have different considerations to apply depending on the type of data that they deal with. And there may be many different types of data within one company itself that need to be protected and which may attract different requirements in terms of POPIA.

The important thing to remember is that there should be someone within each company or institution that has a deep knowledge of the business and who is willing to be involved at every stage of the POPIA compliance project. It is not a function that can be dealt with on an ad hoc basis without proper attention to detail and it will save time and energy for everyone if that person is identified early in the process. In larger companies or in those institutions where there is sensitive personal information there may be a need for a team to deal with the project.

If you start your POPIA compliance project now, identify the people who will assist you with the process, and commit to a methodical application of the Privacy by Design principles, you will not fall into the mad scramble that may cause sleepless nights this time next year.