Many people want to know what the POPI commencement date (or POPI effective date) will be. It is important because the grace period of one year starts running from the commencement date – the clock starts ticking. You must comply with the POPI Act and the Information Regulator will start enforcing the POPI Act one year after the commencement date. Which sections have already commenced and what does this mean? When will the rest commence? What should you be doing when? We are constantly on the lookout for indications of (or the proclamation of) the POPI commencement date (or effective date).
Action you can take now
- Be alerted to any new developments by subscribing to our newsletter.
- Find out more about the regulator and how to comply with POPI by attending our Data Protection Workshop.
- Find out how we can help you with POPI compliance.
- Get specialist subject matter expert support to empower you to implement POPI by joining a Michalsons programme.
- Comply with POPI by getting Michalsons to do some action items for you.
What has already commenced?
The sections that create compliance obligations for responsible parties have not yet commenced.
Certain sections of the Protection of Personal Information Act (POPIA) have already commenced (under proclamation No. R. 25, 2014), but it is only a few limited sections. The majority of the POPI Act (especially the sections that create compliance requirements) will only commence on a later date to be proclaimed by the President. The sections that have commenced are not of great significance. The wheels have started to turn, but not much has changed. This development does not mean that you should go any faster or slower than you are already going. So which sections have already commenced.
- The definitions in section 1 – This section does not create any laws itself, but is necessary for other sections.
- The Information Regulator (Part A of Chapter 5) – Part A deals with the establishment, staffing, powers and meetings of the Information Regulator.
- Regulations (Section 112) – The Minister and the Information Regulator may now make POPIA Regulations.
- Procedure for making regulations (Section 113) – The procedure for making regulations is now in place and POPI Regulations have been finalised.
When is the POPI commencement date or POPI effective date for the rest?
We don’t know for sure. Nobody does. We are waiting for the President to proclaim the date. The Information Regulator has said that the commencement date will not be before the Information Regulator is operational. The Information Regulator has recently made various statements about the commencement date and it has asked the President to proclaim a commencement date but it is not clear what that date will be. Some think 31 March 2020, others think 1 April 2020. Based on the Information Regulator’s statements it could be any date between now and 31 March 2021.
Bear in mind that there is a one-year grace period that runs from the commencement date and you only have to comply with POPI at the end of the grace period. So, the POPIA deadline is at least 12 months away. The Information Regulator has published the final POPI Regulations 2018 and appointed various people to fill vacancies.
Once POPI is in force, data subjects will be protected. It will also be good for responsible parties because South Africa can then participate in the global data economy, which could mean that they get more business. Personal data can only flow freely between the EU and South Africa when the Commission decides that South Africa has adequate data protection laws in place.
The commencement of POPI does not need to wait for the Information Regulator to be fully operational.
The Information Regulator does not need to be fully operational in order for POPI to commence. POPI places the responsibility on responsible parties (and not the Information Regulator) to protect personal data. The regulator therefore does not need to be in a position to protect personal data – they simply need to fulfil their obligations under POPI. Data subjects in South Africa currently have no protection. If POPI commences today and the regulator is only 10% operational, data subjects will be 10% better off than they are now. This illustrates why the commencement date should not wait for the regulator to be operational. In any case, the regulator will have the grace period of one year to become fully operational.
Alignment with the GDPR
The General Data Protection Regulation’s (GDPR) commenced on 24 May 2016 and its grace period ended on 24 May 2018. POPI’s grace period will only start and end after the GDPR’s. Organisations that have to comply with both the POPI Act and the GDPR should focus on complying with the GDPR first and then POPI second. Lessons might be learnt through GDPR compliance that can be applied to POPI compliance.
On the other hand, it might make sense to have one compliance project that covers all bases, POPI and the GDPR alike. That would ensure that they do not have to worry about first complying with GDPR and then, at a later point, complying with POPI. Dealing with the overlap between data protection laws is always going to be a challenge.
What should we do when?
The fact that the POPI effective date (or POPIA deadline) is some way down the line does not mean that you should not already be starting the process of complying with the POPI Act. POPIA is not going to change. The POPI regulations do not change much and will not make you redo work. There are few (if any) new regulatory requirements in the regulations. You should be raising the awareness of POPI in your organisation and planning what you are going to do to protect personal information. You should start implementing the changes you need to make to comply as soon as possible so that you finish well before the end of the grace period leaving you enough time to check (or review) that you comply.