Protection of Personal Information Act

The Protection of Personal Information Act (PoPI) aims to bring South Africa’s privacy laws in line with international norms and to give substance to the Constitution’s protection of privacy. It’s based on the European data-protection directive and aims to protect sensitive private information and sets guidelines for how companies handle it. PoPI was signed into law late in 2013 but there has been no date for its commencement as yet. (Source: Institute of Directors SA)

Latest Developments

Certain sections of the POPI Act have become operative with effect the 11th April 2014.

What does this mean?

Does this mean that POPI has now been implemented and companies have 1 year to become compliant? No – whilst this is another positive step in the the right direction the countdown has not yet begun. According to Lee Padayachee (Parliamentary Liaison):

The sections of the Act which become operational from 11 April 2014 relate to the establishment of the Information Regulator, and the drafting of regulations. Only once the Regulator is set up will the remaining provisions become operation (by further presidential proclamation(s) in the Gazette).

Please note that the Act provides for the Regulator to draft codes of conduct for individual sectors (chapter 7). Based on the nature and special features of an industry, the Regulator will have the discretionary power to set out standards of compliance that are potentially less onerous than the general provisions of the Act. These codes of conduct will depend on the private sector engaging with the Regulator.

When do we think the commencement date for POPI will be?

This is still unknown but based on time frames we have heard (+ add in a few extra months for good measure!) we estimate August 2014 with a 1 year grace period – so possibly factor in August 2015 – which actually does not leave that much time anyway.