Risk Uncategorized

Final Protection of Personal Information Act Regulations Published

It has been a long road, but the promulgation of the Protection of Personal Information Act (“POPIA”) is coming, we have progressed one step closer to implementation with the publication of the Final Protection of Personal Information Regulations (“Regulations”) by the Information Regulator.

The Information Regulator published the Regulations to POPIA on 14 December 2018.

A few highlights from the Regulations

The Regulations contain a number of forms which relate to the processing of personal information and the rights of the data subjects which include:

  • the objection to processing personal information;
  • requesting amendments to or deletion of their personal information; and
  • consent to the processing of personal information for the purpose of direct marketing.

The Regulations provide for more detail around the responsibilities of Information Officers, in addition to section 55(1) of POPIA, an Information Officer must ensure that:

  • A compliance framework is developed and implemented;
  • Personal information impact assessments to ensure lawful processing are conducted;
  • A PAIA manual is developed and maintained;
  • Measures and systems are created to process requests to access personal information; and
  • Promote internal awareness around the provisions of POPIA and the Regulations thereof.

Regulation 6 states that a responsible party must obtain written consent from the data subject, on Form 4 (contained within the Regulations), for any direct marketing that is done via electronic communication.

The Regulations set out a complaints and conciliation process, in Regulations 7 and 8. Regulation 8 specifically, allows for the Regulator to act as a conciliator during the investigation of a complaint.

The Regulations will commence on a date that is still to be determined by the Information Regulator. The effective date is imminent and we expect POPIA and the regulations to become effective during the course of 2019.

All organisations that process personal information will have only 12 months from the commencement date to comply with POPIA.

Organisations need to prepare for the changes in processing of personal information in 2019, however 2018 has seen many updates and changes to the Data Privacy landscape which may change the way your organisation processes personal information, some include:

  • A directive and guidance note from the South African Reserve Bank; which addresses certain aspect of processing of personal information
  • What Block Chain means for your Organisation
  • Artificial Intelligence and Privacy in Industry
  • Financial and Health Services Technology
  • Challenges of Big Data analytics

Should you require additional information or guidance in respect of POPIA, the Regulations and any of the topics covered in our blog posts, please reach out to the below contacts.

Candice Holland
Director: Risk Advisory Southern Africa
Tel: +27 11 209 8598
Email: canholland@deloitte.co.za

Leishen Pillay
Associate Director: Risk Advisory Southern Africa
Tel: +27 11 209 6418
Email: lpillay@deloitte.co.za

About the author

Dolly Matsubukanye

Leave a Comment