With the commencement of the majority of the provisions of the Protection of Personal Information Act, 2013, ("POPIA") on 1 July 2020 (subject to a one-year "grace period"), and in order to plan for what may lie ahead for South Africa, it is helpful to consider what lessons have been learnt from the similar regulation in the EU and UK, the General Data Protection Regulation ("GDPR"), since its implementation in May 2018.
The UK Information Commissioner's Office ("ICO") said, in its recently published annual report: "We have seen a transformative period in our digital history, with privacy established as a mainstream concern, and with complex societal conversations increasingly asking data protection questions."
So, what do we predict lies ahead?
Prediction 1: many organisations will delay compliance with POPIA
During the grace period under the GDPR, many organisations in the EU and the UK put in vast effort to comply with the GDPR. However, there were also many organisations who took little or no steps to achieve compliance well in advance of the implementation deadline of 25 May 2018. This resulted in last-minute scrambling to achieve compliance by the due date (for example, to obtain marketing consent), and presented a challenge to secure timeous assistance from GDPR specialists (such as legal advisors and IT service providers). There were also many organisations who ignored their compliance obligations altogether. In order to rectify this, the ICO, for example, has recognised that SMEs are pressed for time and resources, and has begun to engage with and roll out assistance to SMEs to help them comply with the law.
The Regulator in South Africa (in its press statement of 22 June 2020) impressed upon public and private bodies to use the grace period to put compliance measures and processes in place and issued a warning about the effective enforcement powers afforded to the Regulator for non-compliance with POPIA. The era of enforceable data protection legislation in South Africa will make data subjects increasingly aware of their data privacy rights. Organisations who strive to comply with POPIA, will win in the long run through building data subject confidence through the proper processing personal information.
Tip: organisations who process personal information in South Africa should use the grace period leading up to 1 July 2021 wisely to get their "data-houses" in order.
Prediction 2: regulatory enforcement action and fines will pose a real risk to all organisations, large and small (despite funding and capacity constraints faced by Regulators)
A recent study conducted by Brave (a web browsing service provider) indicated that European governments had not provided sufficient funding to their data protection national authorities to enforce the GDPR. Regulators, worldwide, simply do have the necessary capacity to investigate and take action on all deserving cases. The Regulator in South Africa will likely face similar challenges in the years to come and has noted (in its Annual Performance Plan 2020/21) that it lacks adequate funding to "effectively and efficiently" fulfil its mandate.
This may lead many organisations (and in particular smaller organisations) to being complacent and believe that actions of non-compliance with data protection legislation will go unpunished. It is interesting to note that the ICO's first ever GDPR fine (of GBP275 0000) was levied against a pharmacy in North London for carelessly storing patient data documents. Many organisations do not have adequate resources to fend off claims by data subjects and/or the Regulator, which may result in them being softer targets for fines and civil liability. In addition to this, the Regulator, in its Readiness Plan for the Implementation of [POPIA] dated 30 June 2020 presented to Parliament, indicated that it will be ready to enforce compliance with POPIA by next year.
It was reported, in the ICO's most recent annual report, that, throughout 2019/20, the ICO conducted over 2 100 investigations and, in total, there were 236 instances of the ICO "taking regulatory action in response to breaches of the legislation it regulates" (this included 54 information notices, eight assessment notices, seven enforcement notices, four cautions, eight prosecutions and 15 fines).
There will be many instances of regulatory action being taken against a variety of organisations, be it public or private, large or small from July 2021. There will also be greater co-operation on international enforcement with other data protection authorities outside of South Africa to clamp down on major data breaches that affect data subjects on a global scale. Negative publicity on data protection compliance, even with no fines or regulatory action, is also very damaging to a business's reputation.
Tip: do not gamble on flying under the radar of the Regulator or data subjects to avoid fines and liabilities – be proactive in your business' approach to compliance with POPIA and seek legal advice when things go wrong to mitigate any possible liability.
Prediction 3: failure to achieve proper management buy-in and resources could be a death-knell
The last 2+ years of ever-increasing GDPR fines and enormous reputational damage raining down on organisations who have not adequately complied with their data protection obligations have clearly demonstrated that senior management, data protection compliance buy-in is paramount to the success of many businesses. Without proper support, budget and/or resources the compliance burden can become an insurmountable obstacle, not to mention a lost opportunity to monetise your company's data assets.
Tip: having regard to the draft Guidelines on the Registration of Information Officers issued by the Regulator, it is recommend that persons designated as Deputy Information Officers must be afforded with sufficient time, adequate resources and financial means to devote to POPIA matters and must report to the highest management office within a body.
Prediction 4: data protection compliance will be a never-ending story
If GDPR compliance has taught us anything, it is that compliance with data protection legislation is not a once-off initiative. Data protection compliance needs to become part and parcel of every organisation's culture and day-to-day activities. Privacy-by-design will in future become second nature and any new and evolving technology, tools and processes must align with data protection legislation in order to avoid hefty penalties and negative media exposure.
Tip: even after starting your company's POPIA compliance journey, make sure to continually, and at the very least annually, revisit this to ensure that the way in which your organisation does business is still compliant with the Act and any developments in the legislation and regulations.
1 July 2021 is around the corner and the compliance clock is ticking.
ENSafrica provides comprehensive and full-service data privacy and data-breach advice and assistance, including:
- pre-breach services to assist with the protection of data privacy, the preparation of data-management and security policies, contracts and procedures for businesses, information officer training services and advice on all aspects of POPIA, including trans-border transfers of personal information; and
- post-breach services to assist with breach-response and mitigation of liability, breach notifications and regulatory investigations, and complex litigation matters involving data-breaches and security compromise events.
We also provide comprehensive coverage advice to clients in relation to cyber insurance policies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.