The Protection of Personal Information Act No. 4 of 2013 (“POPIA”) was signed by the President of the Republic of South Africa (“RSA”) on 19 November 2013 with the first of its provisions coming into effect on 11 April 2014, and the majority of the remaining provisions taking effect on 1 July 2020.

1 July 2021 marked the one-year anniversary compliance deadline date by which all Entities and other persons/entities (referred to as (“Entities”) for ease of reference) which process personal information in RSA had to ensure compliance with the provisions of POPIA (“Deadline Date”). With it now being approximately 1 (one) year since the Deadline Date, POPIA still remains uncharted territory for many, and others are still uncertain regarding the status of their compliance with the relevant provisions of POPIA.

What has transpired since POPIA came into effect:

POPIA imposed substantial requirements for Entities processing personal information with the goal of protecting the personal information of data subjects. We have had many Entities approach VDMA to request assist with assessing their compliance with the relevant POPIA provisions and to assist with implementing the necessary processes, procedures and documents to ensure that such Entities are POPIA compliant.

In light of having assessed various Entities’ level of POPIA compliance and from recent POPIA audits conducted, the most common risks pertaining to POPIA which have been identified are as follows:

  • Entities are unable to demonstrate a theoretical understanding of the provisions of POPIA and what is required from them in order to ensure compliance with POPIA;
  • Entities do not have the key POPIA documents in place;
  • the content of the policies which Entities do have in place are not sufficient to fully comply with the provisions of POPIA; and
  • the majority of employees are not adequately trained to identify the rights of data subjects and to address issues relating to consent, sharing of personal information or retention of personal information of data subjects.

In light of the potential strenuous penalties for non-compliance imposed by POPIA, it would be beneficial for Entities which have not yet ensured that they are fully POPIA complaint, to take the necessary steps and measures to ensure that they have the necessary documents, policies and systems in place for their business to be aligned to, and compliant with, the provisions of POPIA.

Concluding remarks:

Entities which have not yet embarked on becoming POPIA compliant can commence by ensuring that the following provisions are implemented:

  • appoint information officers;
  • draft and implement a POPIA policy as well as a manual in terms of the Promotion of Access to Personal Information Act No. 2 of 2002 (“PAIA Manual”);
  • draft and implement consent forms to be signed by data subjects for purposes of any personal information processed by the Entities;
  • train employees in respect of the provisions of POPIA;
  • draft and implement operator agreements with third parties who process personal information on behalf of the Entities; and
  • conduct POPIA compliance audits.

VDMA’s team of experts are available to assist you and your business with any POPIA advice, drafting consent forms, drafting POPIA policies and PAIA Manuals, drafting operator agreements, conducting POPIA compliance and risk assessments, conducting a POPIA gap analysis and assisting with any related POPIA queries that you or your business may have.

Published 15 August 2022