The first anniversary of the Protection of Personal Information Act No 4 of 2013 ("POPIA") compliance deadline for all South African organisations was in July 2022. The compliance deadline imposed operational and organisational limits on processing personal information for local enterprises, prompting a compliance effort to put corporate activities in line with POPIA. POPIA-affected organisations must understand the implications of their compliance journey and create systems and strategies to handle their current and ongoing compliance responsibilities.
POPIA compliance has necessitated changes in how some organisations approach certain operations. With this shift have come various challenges in accommodating such a transition, such as a slow uptake on the registration of information officers, and many organisations are yet to put in place and/or update their existing Promotion of Access to Information Act No 2 of 2000 (as amended) ("PAIA") read with POPIA, etc. Certain POPIA laws remain undiscovered territory that must be examined using acceptable protocols and legal techniques.
Organizations have had to do costly personal information impact assessments and train their staff to comply with POPIA across all of their operations to approach POPIA compliance practically. Organizations have also had to think about their relationships with third parties (suppliers, customers, etc.) to address consent, transfers and sharing of personal information, retention, and applicable POPIA requirements while navigating the complexities of the various approaches to dealing with data breaches.
Case law advances in data privacy have aided organisations in understanding POPIA compliance obligations. This understanding must be supported by practical guidance to assist organisations in developing and implementing a compliance programme that takes their needs and operating situations into account.
Compliance: Several fundamental steps must be considered and taken to guide an organisation on its compliance journey, including: • conducting a gap analysis to determine an organization's readiness for POPIA; • conducting Data Mapping exercises to understand the type of information processed by an organisation and for what purpose; and • taking into account the relevant data transfer requirements.
The preceding steps are useful in building best practices in an organization's POPIA compliance journey, but the trip does not end there because it prompts many continuing obligations that necessitate a frequent examination of organisational procedures to verify they meet POPI criteria.
Organizations must engage actively and consult to test their operations against POPIA's guidelines. It is not enough for organisations to theoretically meet their Act requirements, because needs differ from instance to situation. POPIA compliance necessitates the development of a practical system that allows organisations to monitor compliance and identify/address concerns pragmatically and rigorously.
Lexology: CMS South Africa, One year into POPIA - taking stock, July 1, 2022