The POPI (Protection of Personal Information Act 4 of 2013) in South Africa became effective in 2016, however, as most businesses know, it has had little in the way of enforcement. This status has completely changed effective July 1, 2020, because now POPIA is empowered with the ability to investigate and fine responsible parties for lack of compliance in data protection.
What Is POPIA?
The long-awaited law has a purpose that aligns SA data protection methods along the same lines as most of the rest of the developed world. POPIA creates a variety of privacy rights and conditions for data subjects as well as establishes rules for the ways that personal information can be collected, used, shared, and stored. To comply with POPIA, all parties must evaluate and then change their privacy practices.
POPIA was enacted due to the average of R40.2 million in annual breach costs in SA so that data protection and privacy will be protected for both proprietary company and customer/client information. There are two sides to any breach, and while law enforcement is arresting and convicting the cybercriminals that cause the breach, POPIA has been established to hold organisations accountable for protecting information.
What Took So Long?
The South African Information Regulator was established to enforce POPIA and although they published and distributed the draft regulations, guidelines and rules, they also understood the challenges that companies might have to accommodate them and gave them until July 1, 2021 for compliance.
Consequences for Lack of Compliance
The time is up for organisations to have completed the compliance rules for POPIA. By this time all businesses should have confirmed whether they should be subject to POPIA, conducted an internal assessment for organisational impact, and implemented the measures required to be POPIA compliant using POPIA’s eight “Conditions for Lawful Processing of Personal Information.” In addition, a business should have conducted an assessment involving gap analysis to compare to the requirements for compliance and identified and taken action on any risks and vulnerabilities.
Non-compliance by an organisation can lead to up to 10 years imprisonment. Although the time served is dependent upon the severity of a breach, there is evidence that the police are taking this seriously and will be enforcing the law. Data breaches based on lack of compliance can also destroy a company’s reputation which could ultimately cause the downfall of the business.
How Will the Information Regulator Help?
While the Information Regulator has many functions, there is a focus on protecting data subjects and ensuring that responsible parties take action to protect personal information. Some of the functions, powers and duties of the Information Regulator include:
- Providing education
- Enforcing and Monitoring compliance
- Consulting with parties of interest and those that are interested
- Acting as the major contact for complaints
- Conducting research and then reporting to Parliament
- Actions regarding the published codes of conduct
- Participating in initiatives that are aimed at cooperation that facilities cross-border enforcement of privacy laws
- Additional actions specified in POPIA section 40(1)
“Never before has South Africa taken such a strong stand in protecting personal information and data as it has with POPIA. DaVinci Forensics has been diligently working with clients to evaluate networks and recommend changes required for compliance.”
Sharon Knowles, CEO DaVinci Forensics