The Protection of Personal Information Act (POPI) has been in the public domain for several years and has been enacted into law, but its enforcement provisions are not yet in effect. The appointment of a Regulator and the issuing of draft Regulations for public comment, however, indicate that the Act will probably come into effect in 2018. The recent massive database leak may lead to a bit of fast-tracking here.

POPI will require that all personal information (IDs, health records, religion, employment records, sexual orientation etc) must remain confidential and organisations need to identify where this information is held and take steps to protect it.

Although there will be a twelve month grace period (from the date POPI’s enforcement provisions become effective) entities should not underestimate how much work is required to ensure compliance.

The growing trend of hacking of private information will make this task more onerous and additional costs may need to be incurred to ensure that adequate cybersecurity measures are in place.

Small and medium sized businesses (SMEs) will be under greater pressure as they do not have the resources of the larger corporates.

WHAT WILL YOU NEED TO DO?
You will have to:

• appoint an Information Officer (the person or entity responsible for the implementation and operations of POPI)
• as a starting point, identify what personal information you hold and how it is processed, given to third parties, stored and destroyed
• design, test and implement systems and procedures to ensure compliance with POPI
• have policies in place to report any breaches of personal information

Per the draft Regulations (comment has been called for so they could well change):

• a manual (which is available to the public) setting out how the organisation complies with POPI must be drawn up. The manual needs to provide assurance that personal information will be adequately protected
• measures and systems must be in place to respond to requests for access to personal information
• training sessions must be held for relevant stakeholders to ensure that there is an understanding of POPI and that the company’s systems are compliant

Penalties for non-compliance are severe â€" a fine of up to R10 million or ten years’ imprisonment.

Don’t forget also the potential cost of being sued by people or organisations whose personal information falls into unauthorised hands or is hacked whilst under your control.

Start planning for POPI now â€" it will expose you to huge risk when it kicks in and forewarned really is forearmed!

CA(SA) ARTICLE AMENDED BY MAZARS