We guestimate that the POPIA deadline will be on about 1 June 2021 or maybe a few months before that. Many people want to know when the POPIA deadline is so that they can plan what action to take and when. We get asked all the time and it’s hard to give them guidance. No one knows for sure because the information regulator has not given an indication or guidance on when it might be. We continuously monitor developments on privacy and data protection in South Africa and 1 June 2021 is our best guess based on the information publically available.
This will mean that the POPIA commencement date or effective date will be on about 1 June 2020 with the 12-month grace period ending on 1 June 2021. If we are right about the POPIA deadline, POPIA (South Africa’s data protection law) will only be in force about eight years after it was enacted in 2013. Given this long period of time, it is highly unlikely that the information regulator will extend or delay the POPI compliance deadline beyond 1 June 2021 after it has announced the commencement date.
Is POPIA currently in force? Is POPIA currently in effect?
No, it isn’t. This means that the law currently does not require responsible parties (known as data controllers in the rest of the world) to protect personal information. And data subjects are not protected. Despite this, the information regulator encourages proactive compliance, which essentially means that whilst a responsible party doesn’t have to comply, they should proactively try to comply.
The information regulator encourages proactive compliance
What should you be doing now?
It all depends on what the impact of POPIA is on your specific organisation.
- If the impact is low, you could do nothing and revisit the issue about six months before the POPIA compliance deadline. You could choose to adopt proactive compliance.
- If the impact is high, you should take action soon. It takes between 12 and 24 months for a large organisation with a medium to high impact to take the necessary action.
If you’re not sure what the impact is on your organisation or what to do next, do this complimentary high-level data protection impact assessment on your organisation (about 4 minutes) and then we will assess the impact on your organisation and the best way forward. You can also find out how we can help you.
Why do you think 1 June 2021 is the POPIA deadline?
The information regulator has consistently said that POPIA will not commence until the information regulator is fully operational. The information regulator has made progress but it has been slow. The information regulator initially said that they were aiming for a POPIA deadline of 1 December 2018.
On 5 July 2019, the information regulator briefed the Justice and Correctional Services Committee of the Parliament of South Africa on their 2019/2020 annual performance plans and budgets. Adv Pansy Tlakula said that their efforts to establish the information regulator have been very difficult. The information regulator gave the committee an update on their strategic outcome orientated goals and strategic objectives. In their presentation, they set out their performance indicators and annual and quarterly targets for the financial year ending February 2020. The information regulator still has much work to do in order to be operational – the prerequisite for the POPIA deadline.
- They need to ensure that people are aware of and understand their rights with regard to the protection of personal information by implementing a stakeholder engagement strategy and plan.
- They need to create a conducive environment that promotes the protection of personal information by developing an appropriate research strategy and plan.
- They need to create a compliant environment that fosters the protection of personal formation and the promotion of access to information by:
- publishing Guidelines for Codes of Conduct,
- publishing Guidelines for the registration of Information Officers,
- implementing a Memorandum of Cooperation (MOC) to manage the processes for the South African Human Rights Commission (SAHRC) to handover the regulation of access to information (PAIA) to the information regulator.
- They need to be able to protect personal information by resolving complaints by having a complaint management process, standard operating procedures (SOPs) and a manual.
- They need to be an optimal functioning independent information regulator by establishing the administration necessary to deliver on their mandate by:
- completing the second phase of their organisational structure,
- approving a recruitment policy and a delegation of authority framework,
- drafting an employment equity policy, and
- drafting various finance policies they have identified.
The information regulator plans to complete this work by the end of February 2020, which we think is optimistic. Achieving all of these things is going to take the information regulator some time. Considering the number of people who currently work for the information regulator and the slow pace at which they have been becoming operational it is difficult to see that they will complete this work before the end of May 2020, which then means that the POPIA commencement date would be about 1 June 2020 with the POPIA deadline then being about 1 June 2021.
The information regulator was appointed on 1 December 2016 for a five-year term which means that their first term will end on 1 December 2021. Surely POPIA needs to be in force or effective by the end of the first term of the information regulator? We think that POPIA has to be in force for about six months before the end of the information regulator’s first term, which is why we think the commencement date will be on about 1 June 2020. There is a 12 month grace period that would then make the POPIA deadline 1 June 2021. There will be lots of attention on data protection on the POPIA deadline and it cannot be on the same date as the end of the information regulator’s first term because it would create too much uncertainty. There needs to be an established information regulator in office to manage the transition from the grace period to POPIA being in full force and effect.