Although South Africa’s first comprehensive piece of data protection legislation, the Protection of Personal Information Act (POPIA), was originally signed into law in November 2013, the substantive provisions of the law have not yet taken legal effect. That is likely to change since South Africa’s data protection authority, the Information Regulator, published the final draft of its POPIA regulations in December 2018.
Although the Information Regulator has not indicated exactly when those regulations will become final, it has indicated that the full implementation of POPIA should follow shortly thereafter. Section 114 of POPIA provides that once the law is fully implemented, its substantive provisions will become enforceable after a one-year transitional period. So, to the extent that the POPIA Regulations are finalized at some point in 2019, its substantive provisions will become enforceable one year later in 2020.
Interestingly, parts of POPIA’s structural rules already took effect in April 2014. These are:
- Section 1, which contains the definitions;
- Part A of Chapter 5, which regulates, among other things, the establishment, duties and powers of the Information Regulator; and
- Sections 112 and 113, which regulate the right of the Minister of Justice and Constitutional Development to issue regulations and the procedures to do so.
In line with Part A of Chapter 5, the Information Regulator was established and took office in December 2016. However, POPIA’s substantive obligations and penalty provisions are still not in effect because, as outlined by the Information Regulator in a 2016 media statement regarding those provisions, they only can be implemented once the Information Regulator has reached a “stage of operational readiness.”
Despite POPIA not being fully in effect, the Information Regulator has emphasised the need for regulation and has urged companies to start complying with its provisions ahead of its implementation. The Information Regulator also has written to companies, reminding them of their data privacy obligations once the law does take effect. For example, it has sent letters to companies following data security incidents, requesting information that would need to be made available under POPIA such as how the incident occurred, the extent and materiality of the incident, interim measures put in place to prevent further compromise, security measures put in place to prevent a recurrence of similar incidents, and measures taken to inform affected data subjects of the incident in order to allow them to take proactive measures against potential consequences.
Companies operating in South Africa who wish to get a head start on POPIA compliance can reasonably rely on the Information Regulator’s draft final POPIA Regulations. Many of POPIA’s requirements are modelled after UK law, so companies operating in the UK or Europe might look to their UK/European data protection compliance programs to begin building compliance programs that address analogous obligations of POPIA.