Many people want to know what the POPI commencement date (or POPI effective date) will be. It is important because the grace period of one year starts running from the commencement date – the clock starts ticking. You must comply with POPI and the Information Regulator will start enforcing POPI one year after the commencement date. Which sections have already commenced and what does this mean? When will the rest commence? What should you be doing when? We are constantly on the lookout for indications of (or the proclamation of) the POPI commencement date (or effective date).

Action you can take

What has already commenced?

Certain sections of Protection of Personal Information Act (POPIA) have already commenced (under proclamation No. R. 25, 2014), but it is only a few limited sections. The majority of POPI (especially the sections that create compliance requirements) will only commence on a later date to be proclaimed by the President. The sections that have commenced are not of great significance. The wheels have started to turn, but not much has changed. This development does not mean that you should go any faster or slower than you are already going. So which sections have already commenced.

  • The definitions in section 1 – This section does not create any laws itself, but is necessary for other sections.
  • The Information Regulator (Part A of Chapter 5) – Part A deals with the establishment, staffing, powers and meetings of the Information Regulator.
  • Regulations (Section 112) – The Minister and the Information Regulator may now make POPIA Regulations.
  • Procedure for making regulations (Section 113) – The procedure for making regulations is now in place. There are no regulations yet, just the process is in place to make the regulations. We are not expecting draft regulations before about June 2017.

What is the POPI commencement date or POPI effective date for the rest?

We don’t know for sure. Nobody does. We are waiting for the President to proclaim the date. It will not be before the Information Regulator is operational, which might be at the end of 2017 but may only be in 2018. The commencement date will not be after December 2018. Bear in mind that there is a one-year grace period that runs from the commencement date and you only have to comply with POPI at the end of the grace period.

Alignment with the GDPR

The General Data Protection Regulation’s (GDPR) commenced on 24 May 2016 and its grace period ends on 24 May 2018. It looks like POPI’s grace period will end after the GDPR’s. Organisations that have to comply with both the POPI Act and the GDPR might focus on complying with the GDPR first and then POPI second. Lessons might be learnt through GDPR compliance that can be applied to POPI compliance.

On the other hand, it might make sense to have one compliance project that covers all bases, POPI and the GDPR alike. That would ensure that they do not have to worry about first complying with GDPR and then, at a later point, complying with POPI. Dealing with the overlap between data protection laws is always going to be a challenge.

What should we do when?

The fact that the POPI effective date is some way down the line does not mean that you should not already be starting the process of complying with the POPI Act. POPIA is not going to change. The POPI regulations are not going to change much and will not make you redo work. There will be few (if any) new regulatory requirements in the regulations. You should be raising the awareness of POPI in your organisation and planning what you are going to do to protect personal information. You should start implementing the changes you need to make to comply as soon as possible so that you finish well before the end of the grace period leaving you enough time to check (or review) that you comply.