It has been announced that certain sections of the Protection of
Personal Information Act (POPI) came into effect on 11 April 2014.
The relevant sections deal with the establishment of the
information regulator, the procedure for making regulations and the
nature of the regulations which the Information Regulator may make
with regards to POPI (including how complaints will be submitted,
investigations, administrative fines and the responsibilities of
the information officer of a company), amongst others.
The fact that the provisions allow for the establishment of the
Information Regulator before the remaining provisions of POPI
become effective means that companies cannot rest on a belief that
the establishment of the regulator will cause further delays with
regards to the implementation of this legislation.
POPI aims to give effect to the constitutional right to privacy
of consumers by introducing measures to ensure that organisations
process personal information in a fair, responsible and secure
manner. The legislation covers why and how they collect, use,
disclose and store personal information belonging to natural and
Graham Teare, head of KPMG's privacy multi-disciplinary team
in South Africa, says, "Globally, we are seeing a move to
enforcing privacy protection, with significant regulatory fines in
the cases of non-compliance."
All companies, that process personal information, are required
to comply with POPI. Non-compliance has serious consequences, such
as fines and possibly, prison terms, and most significantly
"Organisations should not underestimate the potentially
negative effect of a non-compliance on the company's
reputation," says Teare. "The consequences of a tarnished
reputation, including customers' loss of trust in the
organisation could far exceed the effects of a fine."
Nikki Pennel, KPMG legal privacy specialist, acknowledges that
most companies have some sort of privacy standards and processes in
place. However, she suggests that organisations conduct an analysis
identifying gaps in their current state of privacy readiness for
compliance with POPI.
"Critical to the gap analysis is identifying practical,
strategies which can be implemented easily and are aligned to the
operations of business," explains Pennel.
Teare suggests that "POPI should be considered from a
number of perspectives - legal, business processes, systems and
overall governance, amongst others."
Complying with POPI is challenging as proven in the (name e.g.
Breaches of Privacy and Loss of Data) Survey conducted by the
Ponemon Institute (using 2012 data), on breaches of privacy in the
United Kingdom. The survey identified negligent employees or
contractors (37%), system and business process failures or glitches
(29%), malicious or criminal attacks (34%) as root causes for data
"Companies therefore need to ensure that their current
processes, employees or contractors and systems can handle the
potential demands POPI could place on them," cautions Teare.
"The Act should not be viewed in isolation. It provides a
broad framework but must work in conjunction with other
industry-specific legislation which touches, to some extent, on
"POPI requires a dedicated team of specialists with a full
complement of privacy experts to assist clients navigate the new
legislation," explains Teare. "An effective POPI team
should comprise specialists from Corporate Law, Information
Technology, Regulatory Compliance team and Forensics. The POPI
solution will have to be commercially-focused, client-centric and
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The Protection of Personal Information Bill proposes to impose stringent obligations on those with personal information.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).