Many people want to know what the POPI commencement date (or effective date) will be. It is important because the grace period of one year starts running from the commencement date – the clock starts ticking. You must comply with POPI and the Information Regulator will start enforcing POPI one year after the commencement date. Which sections have already commenced and what does this mean? When will the rest commence? What should you be doing when? We are constantly on the lookout for indications of (or the proclamation of) the POPI commencement date (or effective date).

Action you can take

What has already commenced?

Certain sections of POPI have already commenced (under proclamation No. R. 25, 2014), but it is only a few limited sections. The majority of POPI (especially the sections that create compliance requirements) will only commence on a later date to be proclaimed by the President. The sections that have commenced are not of great significance. The wheels have started to turn, but not much has changed. This development does not mean that you should go any faster or slower than you are already going. So which sections have already commenced.

  • The definitions in section 1 – This section does not create any laws itself, but is necessary for other sections.
  • The Information Regulator (Part A of Chapter 5) – Part A deals with the establishment, staffing, powers and meetings of the Information Regulator.
  • Regulations (Section 112) – The Minister and the Information Regulator may now make regulations.
  • Procedure for making regulations (Section 113) – The procedure for making regulations is now in place. There are no regulations yet, just the process is in place to make the regulations. We are not expecting draft regulations before about June.

What is the POPI commencement date or POPI effective date for the rest?

We don’t know for sure. Nobody does. We are waiting for the President to proclaim the date. We anticipate that the POPI commencement date will be early in 2017, but no later than 24 May 2017. Bear in mind that there is a one-year grace period that could be used by the Information Regulator to begin the work. We currently anticipate that you will have to comply with POPI from early in 2018 and the Information Regulator will start enforcing POPI from then.

Maybe the commencement date should be 24 May 2017, so that the end of the one-year POPI grace period (24 May 2018) can coincide with the end of the General Data Protection Regulation’s (GDPR) own grace period on 24 May 2018. This would help create harmony for organisations that have to comply with both the POPI Act and the GDPR. Those organisations would be in the ideal situation of having one compliance project that covers all bases, POPI and the GDPR alike. That would ensure that they do not have to worry about first complying with POPI or the GDPR now and then, at a later point, complying with the other.

What should we do when?

But this does not mean that you should not already be starting the process of complying with POPI. POPI is not going to change. The regulations are not going to change much and will not make you redo work. There will be few (if any) new regulatory requirements in the regulations. You should be raising the awareness of POPI in your organisation and planning what you are going to do to protect personal information. You should start implementing the changes you need to make to comply as soon as possible so that you finish well before the end of the grace period leaving you enough time to check (or review) that you comply.