Information Regulator Interventions within POPI
It is important to ensure that there is a clear process in place when it comes to engaging with the South African Information Regulator. There are a number of possible regulator interventions within the POPI Act that should be catered for in this process. This article forms part of a series of POPI Governance articles written by TOSMS, to ensure a sustainable POPI outcome for companies. The series starts here.
Possible Regulator Interventions
The POPI Act covers a number of situations where regulator engagement occurs. These include the following:
- There are various circumstances under which prior authorisation from the regulator is required before processing can take place;
- The regulator may carry out assessments at a company;
- Data subjects or responsible parties may lodge complaints with the regulator that result in the regulator following up with a company;
- The regulator may issue a company with an enforcement notice that one would need to respond to;
- The regulator has the power to conduct search and seizure actions at a company’s premises; and
- The regulator can issue a company with an infringement notice that one would need to respond to.
This list does not include reporting on security breaches as that issue is covered under its own workstream. This is another example of where interaction with the regulator may occur.
The point here is that someone in the company has to ensure that there is a formal and properly coordinated approach when dealing with the regulator to make sure that the exposure is managed carefully.