South Africa’s President, Cyril Ramaphosa, announced yesterday that the Protection of Personal Information Act, 2013 will be fully effective from 1 July 2020. This is great news for SA because it enhances its plans to grow its digital economy. For example, if SA is able to show that its data privacy law is adequate for the European Union’s purposes, more work involving the use of EU citizens’ personal information is likely to flow to South Africa. Think of business process outsourcing activities like call centres: EU companies would be more comfortable outsourcing such work to South Africa, because its laws protect personal information.
It has taken 17 years for POPIA to reach this point. It started as a South African Law Reform Commission issue paper in 2003 and eventually became an Act in 2013. The most important parts of the Act are those that come into force on 1 July. What is important to note, is that the Act affords those who process personal information (most entities would fall into this category) 1 year from 1 July, to ensure that they implement POPIA’s requirements and become compliant.
Whilst becoming POPIA compliant may be relatively painless and quick for most smaller businesses, it can be a complex and lengthy task for large organisations processing large amounts, and different categories, of personal information. Our experience has shown that the sooner an organisation starts preparing for POPIA, the better. This is because there are often unexpected delays and it is never pleasant to have to work under the pressure of shortened timelines.
If South Africa is going to promote itself as a safe destination for personal information, it will need to show not only that it has an adequate law in place, but that it has a strong and capable Information Regulator. It is for this reason that we believe that, once the 1 year grace period has ended, the Information Regulator is likely to take a firm approach with those entities who are found to be non-compliant.
It would be wise to start preparing your organisation for POPIA compliance now. You can do so by first familiarising yourself with it as much as you can, decide who in your organisation is capable of driving POPIA compliance and, if you do not have the resources in-house, consider getting assistance from some of the excellent long-standing POPIA legal specialists like PPM Attorneys’ Lucien Pierce, Delphine Daversin and Melody Musoni, Novacon Consulting’s Elizabeth de Stadler and L.I.T.T. Institute’s Nerushka Bowan.
 2 Except sections, section 110 (amendment of laws) and section 114(4) transfer of functions between the SA Human Rights Commission and the Information Regulator, which will be in effect on 30 June 2021.