The majority of the Protection of Personal Information Act 2013 (POPI) effectively commenced on 1 July 2020. The sections that commenced deal with how personal information (which is any information that can identify and infringe the privacy rights of a natural or juristic person) may be processed in South Africa or transferred across borders.
As POPI compliance initiatives gain momentum, regulated entities are advised to consider the measures regulated by existing legislation regarding the protection of personal information. For example, the Financial Advisory and Intermediary Services Act 2002 (FAIS) imposes requirements on regulated entities in respect of client confidentiality, marketing, client consent, and in certain circumstances, notices to the FSCA in the event of data breaches. Similar measures to protect personal information are imposed on market infrastructures under the Financial Markets Act 2012. Banks are also subject to a duty of confidentiality.
A POPI compliance audit will be effective in identifying the risks or gaps which a business may not have been aware of, and will identify measures to address such risks. A business licensed under FAIS, for example, must ensure that such audit includes a consideration of the measures it already has in place to comply with its obligations under FAIS and other applicable laws.
Anyone processing personal information in South Africa will have a 12-month grace period to ensure that they comply with the requirements of POPI. After 1 July 2021, any non-compliance with POPI will have consequences including penalties up to R10 million, civil proceedings instituted by data subjects or the Regulator, and criminal offences and fines in some circumstances.