Does your business have a POPIA Manual? You have until 31 December – here’s how!
.jpg?cache=always)
The POPIA deadline is officially over (as of 1 July 2021), and the Act is now in full effect, except for one provision (which we’ll explain later on). Is your business compliant? If you haven’t made the changes you need to yet, you must get a move on – both for the sake of your customer’s rights and your company. POPIA is not just there to protect customer’s private information from breaches, theft, and discrimination – it will also help safeguard your business digitally. According to IOL and Accenture, South Africa has the third-highest number of cyberattacks, leading to more than a combined R2 billion in losses a year!
We’ve already explained what the POPI Act is in our first blog, but if you’re still unsure of the Protection of Personal Information Act, then have a look at this smart guide by ENS Africa.
Here are two critical updates that you need to know, as there’s been some confusion around this deadline: one of the Sections has been suspended, and there is one extension on an exemption. Please note: all the rest of the POPIA sections are now in full effect and you’re now legally required to ensure your company complies.
Here are two critical updates that you need to know, as there’s been some confusion around this deadline: one of the Sections has been suspended, and there is one extension on an exemption. Please note: all the rest of the POPIA sections are now in full effect and you’re now legally required to ensure your company complies.
1. One of the POPIA Sections has been suspended.
This is where it can be a little confusing, as even though the Act was signed into law in 2013, there have been different deadlines in play. Here’s some insight from ENS Africa, the biggest law firm in Africa:
“The confusion on the effective date for POPI Act has been caused by the suspension of only section 58(2) of POPIA, which has been postponed from 1 July 2021 until 1 February 2022. The remaining sections have not been suspended,” ENS Africa said. That last sentence is crucial, as it means the other provisions of POPIA are now enforceable by law.
“The confusion on the effective date for POPI Act has been caused by the suspension of only section 58(2) of POPIA, which has been postponed from 1 July 2021 until 1 February 2022. The remaining sections have not been suspended,” ENS Africa said. That last sentence is crucial, as it means the other provisions of POPIA are now enforceable by law.
2. Your company won’t be held liable for not having registered Officers yet.
According to ENS Africa, section 58(2) of POPIA deals with the suspension of processing activities that have been notified to the Information Regulator for prior authorisation in terms of Section 58(1). To unpack that, the Information Regulator is responsible for regulating the Act, and it will punish companies that aren’t compliant. But there’s good news, because of this suspension and due to the official registration portal experiencing technical glitches, your company won’t be held liable for not having registered your information officers (which is a VITAL step in addressing POPIA in your company). Here’s an official quote from ENS Africa:
“After numerous concerns raised regarding the registration process of information and deputy information officers, the Information Regulator has also confirmed that there will be no deadline for registration of information officers and deputy information officers. This means that no responsible party will be held liable for not registering by 30 June 2021”.
However, even though this deadline is extended until 1 February 2022, you should still nominate your Information Officer (and Deputy, if needed) as soon as possible, and then register them on the government portal, which you can find here. Here is some info on the process and next steps by labour law expert Grant Wilkinson:
“Appoint an information officer, as if you haven’t appointed one in writing, the CEO of the company will automatically become one. Then develop a compliant framework for the organisation. Do an impact assessment, and have policies in place should an information breach occur.”
“After numerous concerns raised regarding the registration process of information and deputy information officers, the Information Regulator has also confirmed that there will be no deadline for registration of information officers and deputy information officers. This means that no responsible party will be held liable for not registering by 30 June 2021”.
However, even though this deadline is extended until 1 February 2022, you should still nominate your Information Officer (and Deputy, if needed) as soon as possible, and then register them on the government portal, which you can find here. Here is some info on the process and next steps by labour law expert Grant Wilkinson:
“Appoint an information officer, as if you haven’t appointed one in writing, the CEO of the company will automatically become one. Then develop a compliant framework for the organisation. Do an impact assessment, and have policies in place should an information breach occur.”
3. Small, private bodies have until 31 December 2021 to develop POPIA manuals.
These are companies with less than 50 employees or an annual turnover less than the applicable threshold amount. Before 30 June 2021, they were exempt from developing POPIA manuals. However, the Minister of Justice and Correctional Services, Mr Ronald Lamola, has now extended this exemption deadline to 31 December 2021. This was done to give companies who fall within these categories the time to develop manuals. So, if you haven’t created a manual yet, you have some leeway as a small private body. HOWEVER, the Information Regulator has stressed this is the last exemption, and all public and private bodies must have a manual in place by 1 January 2022.
.jpg?cache=always)