We received an email from an associate this week who complained about a well-known credit provider in South Africa, who contacted him to inform him that their systems had been breached, and his personal information was included in the breach. The notice they sent out was mandatory; that’s a POPIA requirement, but his concern was why they still had his personal information as he had settled the credit with them many years ago. He was considering laying a complaint with the information regulator. His case is not unique and highlights the risk non-compliant businesses in South Africa face.
Reflecting back to July, when we were all bombarded with POPIA compliance notices, with even some WhatsApp group owners getting nervous and sending opt-out notices to their loyal followers, it’s tempting to think that POPI has come and gone. Further contributing to the confusion is that recent media coverage focused on two aspects of the act that have been delayed until February 2022. This has led many to believe that the entire POPI compliance requirement has been deferred to that date.
To the contrary, the Protection of Personal Information Act was formally enacted on the 1st of July. All conditions of the act are now law, except for the specific requirement of a business to obtain prior authorisation to process a specific category of personal information (e.g. data for purposes other than originally intended, sensitive data points like religious believes, etc., and data relating to children).
One other requirement that has been deferred is the registration of Information Officers on the portal of the Information Regulator. This however, does NOT exempt a business from their lawful duty to formally appoint their Information Officer, which has been a legal requirement from 1 July 2021.