The POPI commencement date (or POPI effective date) is 1 July 2020. The President has proclaimed 1 July 2020 to be the date. It is important because a grace period of one year starts running from the commencement date and then the clock starts ticking. Now that it has commenced, you must ensure that you comply with the POPI Act as the Information Regulator will start enforcing the POPI Act one year after the commencement date.

You may have questions like “which sections have already commenced”, “what does this mean”, “when will all sections commence”, and “what should I be doing and when”.

The clock is ticking
POPIA deadline
0
0
0
0
Days
0
0
Hrs
0
0
Min
0
0
Sec

What should you be doing now?

Don’t panic – there is time and no one is going to jail.

There is no shortage of people trying to sell you offerings related to POPIA: workshops, conferences, tech solutions, programs, online courses, online training, legal services, and consulting services. How do you cut through the noise?

We suggest that you ask yourself these questions:

POPI is here! Now what?

What action should I take?

The POPI Act has commenced and organisations need to comply by 30 June 2021.  Use our infographic to work out what your next steps should be.

Download our POPI Act infographic and plan your next steps!

Other actions you can take now

What has already commenced?

In 2014, certain sections of the Protection of Personal Information Act (POPIA) commenced (under proclamation No. R. 25, 2014).

  • The definitions in section 1 – This section does not create any laws itself, but is necessary for other sections.
  • The Information Regulator (Part A of Chapter 5) – Part A deals with the establishment, staffing, powers, and meetings of the Information Regulator.
  • Regulations (Section 112) – The Minister and the Information Regulator may now make POPIA Regulations.
  • Procedure for making regulations (Section 113) – The procedure for making regulations is now in place and POPI Regulations have been finalised.

The majority of the POPI Act (especially the sections that create compliance requirements) commenced on 1 July 2020 (under proclamation No. R. 21 of 2020 in Gazette no. 11136, Vol. 660 No 43461 dated 22 June 2020.

Bear in mind that there is a one-year grace period that runs from the commencement date and you only have to comply with POPI at the end of the grace period. So, the POPIA deadline is on 1 July 2021. The Information Regulator has published the final POPI Regulations 2018 and appointed various people to fill vacancies.

Once POPI is fully in force, data subjects will be protected. It will also be good for responsible parties because South Africa can then participate in the global data economy, which could mean South Africans getting more business. Personal data can only flow freely between the EU and South Africa when the Commission decides that South Africa has adequate data protection laws in place.

When is the POPI commencement date or POPI effective date for the rest?

Sections 110 and 114(4) will only commence on 30 June 2021.

Alignment with the GDPR

The General Data Protection Regulation (GDPR) commenced on 24 May 2016 and its grace period ended on 24 May 2018. POPI’s grace period will only start and end after the GDPR’s. Organisations that have to comply with both the POPI Act and the GDPR should focus on complying with the GDPR first and then POPI second. Lessons might be learnt through GDPR compliance that can be applied to POPI compliance.

On the other hand, it might make sense to have one compliance project that covers all bases, POPI and the GDPR alike. That would ensure that they do not have to worry about first complying with GDPR and then, at a later point, complying with POPI. Dealing with the overlap between data protection laws is always going to be a challenge.

What should we do when?

This is an important issue regardless of when the actual commencement date is

You should already be starting the process of complying with the POPI Act. POPIA is not going to change. The POPI regulations do not change much and will not make you redo work. There are few (if any) new regulatory requirements in the regulations. You should be raising awareness in your organisation and planning what you are going to do to protect personal information. You should start implementing the changes you need to make to comply as soon as possible so that you finish well before the end of the grace period leaving you enough time to ensure that you comply.