Information Regulator publishes draft POPI Regulations
The Office of the South African Information Regulator has published draft POPI Regulations for comment in the Government Gazette, which are available here. Tim O’Hanlon Strategic Management Services also obtained additional insights from the Regulator’s office regarding the road ahead with POPIA, which is covered in the second half of this article.
The POPI Regulations are promulgated in terms of the Protection of Personal Information Act No. 4 of 2013 (POPIA). They primarily deal with the process around complaints handling by the Regulator and do not contain additional obligations to be complied with by organisations.
What do the Regulations include?
The Regulations include the following:
- the manner of objection by data subjects to the processing of personal information
- the manner of request by data subjects for correction or deletion of personal information or destroying or deletion of record of personal information
- the duties and responsibilities of information officers, including ensuring that:
- a compliance framework is developed, implemented and monitored
- adequate measures and standards exist
- preliminary impact assessments are conducted
- a manual is developed
- internal measures are developed
- awareness sessions are conducted
- the manner of request for a data subject’s consent for processing of personal information for the purpose of direct marketing by means of unsolicited electronic communications
- the manner in which to submit a complaint or grievance
- the powers of the Regulator
Insights into the POPI road ahead
At a recent POPI conference, the Office of the Information Regulator confirmed to Dudley Garner, Director Regulatory Compliance at Tim O’Hanlon Strategic Management Services (TOSMS), the following:
- their intentions with regards to the commencement date and
- their approach with regards to preparation for implementation by companies while the commencement date is awaited.
Likely POPIA commencement date
The commencement date for the remaining sections of POPIA is targeted by the Information Regulator to be in the April to May 2018 timeframe. From then on, organisations will have one year to comply fully with all the conditions of the Act.
Accordingly, it is in the best interests of organisations to initiate POPIA Impact Assessments and/or POPI Implementation Projects sooner rather than later. TOSMS has a proud history of assisting organisations with POPIA Impact Assessments since 2007.
Approach companies should be following
It was made clear by the Office of the Information Regulator that sections 39 – 54, 112 and 113 of POPIA are already effective. It was emphasised that organisations should not wait for the publication of the effective date of the remaining sections of POPIA before implementing processes to become fully compliant.
They have also already received numerous complaints under the banner of POPIA. They have undertaken to follow these complaints up prior to the commencement date. Where an organisation is under the spotlight due to a complaint and is found to have done no preparation in anticipation of the commencement date, such an absence of preparation will be frowned upon by the Regulator with the potential of greater exposure for that company.
Value-add from Tim O’Hanlon Strategic Management Services
Are you unsure how the POPI Act will impact your organisation? Do you have concerns about the need to tackle such an initiative prior to the commencement date? If so, don’t hesitate to contact one of our team.
TOSMS can conduct a risk-based gap analysis across all functional areas within a large organisation. This will give management a high-level view of risks and impacts of POPIA in a reasonably short space of time, enabling them to decide quickly where to focus resources and effort to comply with the POPI legislation. This is becoming increasingly important, especially when there are urgent business priorities and little appetite to commit resources to non-revenue-generating compliance initiatives.