The Protection of Personal Information Act (“POPIA) has been in force for over 12 months. Organizations – private and public were given a one year grace period to become compliant. There are however still a lot of grey areas in terms of what compliance looks like or even how to practically interpret and implement this new legislation.
POPIA is a unique piece of legislation for a number of reasons. Firstly, it relates to and finds a lot of relevance in the data protection space – an area that is constantly developing worldwide on a daily basis. Secondly, POPIA is legislation which is based on a framework and guidelines. This makes it appear seemingly abstract. Framework based legislation is legislation where the provisions are very broad and provide direction but not in an explicit manner. Framework based legislation provides us with the “ends” but not the means on how to achieve the objectives which are set out.
When one examines the purpose of the Act, it is clear as to why POPIA takes on this form. The first purpose of POPIA is to protect the right to privacy. The Act further outlines that another purpose is to ensure this right to privacy is balanced with other rights and lastly, it was enacted to provide rights and remedies. If one is to give effect to these purposes, framework based legislation is the way to go as there is an element of discretion available to the responsible party and giving effect to these purposes can still ensure that normal private and public functions of the responsible party are not unnecessarily impeded on.
Over and above POPIA being framework based legislation, it has taken on a seemingly abstract persona for a number of other reasons.
- The grace period given to companies to comply led to a lot of entities adopting a relaxed approach to adoption and implementation;
- This grace period gave the impression that compliance has an end point and simply involves completing a checklist;
- The Information Regulator has been slow to create a presence within the data protection space;
- Data protection laws are very dynamic and changing with technological advancements – it therefore becomes difficult to implement hard and fast rules.
- While most of the world is advancing technologically, this is at varying degrees and it thus becomes difficult to implement deadlines and concrete provisions.
While the general undertone of POPIA is very framework based, there are certain provisions that do create concrete rules for what an organization needs to implement and carry out to become compliant. The first is the issue of the Information Officer. Every organization, whether public or private must register an Information Officer and Deputy Information Officers if required. The Information Regulator has certainly echoed the implementation of this provision by being responsive to queries regarding Information Officers and undertaking the process of registration quite quickly. The Act is also very explicit on the need to obtain consent from data subjects or give notice to data subjects by way of data subject notifications. Another provision in the Act that provides concrete direction is the provision relating to security breaches. Direct obligations and responsibilities are placed on the responsible party in respect of how to deal with security breaches which we anticipate the Information Regulator will give due consideration to if and when they are to undertake investigations relating to security breaches. All of these provisions gives one insight into practical steps one can take on the road to compliance or during the process of managing their compliance with the Act.
A recent development that has also clearly demonstrated what the future of data protection will look like is the “PAIA” manual. The PAIA manual gives effect to the Promotion of Access to Information Act, a responsibility previously held by the South African Human Rights Commission. Since their inception shortly after POPIA was promulgated, the Information Regulator has now taken over the role of overseeing the enforcement of PAIA. In light of this, as of 01 January 2022, it has become compulsory for all private organizations to have a PAIA manual. This provides us with a practical indicator of what data privacy laws in operation look like as the PAIA manual has started to become used by those requesting information from private bodies.
With all this being said, there is still uncertainty in respect of one of the overarching conditions and that is the security safeguards. Security safeguards directly affect an organization’s operations and the Act is not explicit on what these should look like. Most organizations have opted to follow the route of adopting and implementing internal policies governing the use of electronic devices, document management and physical security and other related aspects.
It is clear from the above, that data privacy laws and the compliance therewith are still in their infancy stage. This is as technological developments impact the manner in which business carry out their functions. Much remains to be seen in terms of what practical compliance looks like. POPIA has created concrete guidelines and framework for the objectives of data privacy should look like. It is only through trial and error as well as assistance from the Information Regulator and later on the courts, that goalposts can be drawn up in respect of the scope of what an organization should be undertaking in respect of its data privacy.
For more information and assistance with your current or upcoming B-BBEE verification, kindly contact your regional LabourNet office.
0861 LABNET (0861 522638).
Not yet a LabourNet client, but would like to know more about our service and products?
Email us: firstname.lastname@example.org