/ News
POPI - The good, the bad and the still to be decided...

Written by: Nadine Arnold

I was quite shocked to read recently that between 70-80% of South African adults have been victims of cyber crime in their lifetime. While we are losing in excess of R2.2 billion to internet fraud and phishing attacks annually, these numbers are increasing rapidly with very few prosecutions taking place in South African cyber crime cases. 

At the heart of it, cyber criminals require access to personal information. 

The Protection of Personal Information Act (POPI) is essentially the first piece of South African legislation that addresses the protection of our personal information. 

Although not yet fully implemented, POPI aims to promote the protection of personal information and our broader Constitutional right to privacy, by regulating how such information is stored, secured, and ultimately destroyed. 

Currently these minimum requirements are not mandatory and access to personal information remains a fuzzy grey area in our law. 

So when will POPI come into force?

Before POPI can come into effect, an Information Regulator has to be appointment by the Government. Nominations for the appointment of the Regulator were called for last year, but no appointment has yet been made and draft regulations have not been published. 

It is fair to presume that with local government elections taking place in May, POPI will likely come into effect in the second half of 2016.

Once POPI is fully implemented, businesses will have one year to comply with the legislation. While this time frame may be suitable for smaller businesses, larger enterprises may need two to three years to be compliant. Failure to comply could expose businesses to fines of up to R10 million from the Regulator. 

So how does one get the house in order?

  • Read the POPI Act to understand, from your company’s perspective, what your responsibilities are and how these relate to your customers’ rights. Understanding the effects of non-compliance could provide the foundation for identifying where your business may be at risk. 
  • Determine what your current levels of compliance are and the steps necessary to comply with the POPI Act. Amongst other obligations, businesses are required to take reasonable technological and organisational measures to ensure minimum standards are achieved in protecting integrity and confidentiality of personal information. 
  • Put together a project plan to address the total life cycle of personal information in your business.
  • Review your employee and third party service provider agreements to ensure that they reflect your obligations in terms of POPI.

Despite the uncertainty around when POPI will come into effect in our law, one thing remains clear: given the global trend towards stricter data protection regulation, POPI is certainly not going away!