Skip to content

It is only when organizations start their POPIA journey that they realize just how wide the POPIA net is cast, and that very few businesses fall outside of its reach.  The road to POPIA compliance should be viewed as a marathon, and not a sprint.  While implementing and maintaining an effective POPIA compliance program will take continued effort and resources well beyond the July 1, 2021 go-live date, here we outline five steps to which companies subject to POPIA should give their attention in the short term.

Step 1: Identify and Appoint an Information Officer

POPIA provides for a similar position as the GDPR’s data protection officer in the form of an “Information Officer.” Organizations subject to POPIA must identify an Information Officer who will be responsible (and who may be held personally liable) for, among other things, all of the organization’s data protection compliance requirements, working with the Information Regulator, establishing policies and procedures, and POPIA awareness and compliance training.

The “head” of the organization (i.e., the CEO, managing director, or “equivalent officer”) is automatically deemed the organization’s Information Officer, however, the organization can “duly authorise” another person in the business (who is at management level or above) to act as Information Officer.  Similarly, the organization can designate one or more employees (also at management level or above) to act as “Deputy Information Officers” to assist the Information Officer perform his or her responsibilities.  Both the Information Officers and Deputy Information Officers must be registered with the Information Regulator before the end of June 2021, via the Information Regulator’s Online Registration Portal, or by submitting the downloadable Manual Registration Form to the Information Regulator.

Step 2: Review the Organization’s Marketing Practices

While many organizations may not consider themselves to be engaging in so-called “direct marketing” practices, this concept is widely defined in POPIA to include “any approach” to a data subject “for the direct or indirect purpose of […] promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject […].”  POPIA provides data subjects with certain rights with respect to unsolicited “electronic communications” (i.e., direct marketing by means of automatic calling machines, fax machines, SMSs, or emails).  The processing of a data subject’s personal information for the purposes of direct marketing is prohibited, unless the data subject has consented to the processing, or the email recipient is an existing customer of the organization.

In practical terms, the organization must have obtained the data subject’s details through the sale of a product or service, and the marketing should only relate to similar products or services of the organization.  The data subject must be given a reasonable opportunity to object to the use of their personal information for marketing each time the organization communicates with the data subject for marketing purposes, i.e., recipients must be able to “opt-out” at any stage.  Potential new customers can only be marketed with their express consent, i.e., on an “opt-in” basis.

Step 3: Review the Organization’s Security Measures Aimed at Protecting Personal Information, and Understand What Steps Must Be Taken in the Event of a Data Breach

POPIA obliges organizations to take appropriate technical and organizational measures to safeguard the security and confidentiality of personal information – aimed at preventing any loss, damage to, or unauthorized destruction of personal information, including measures to prevent unlawful access to, or processing of personal information under the organization’s control.

There is a general data breach notification obligation under POPIA.  Where there are reasonable grounds to believe that a data subject’s personal information has been accessed or acquired by an unauthorized person, the organization, or any third party processing personal information under its authority (e.g., an outsourced payroll service provider), must notify the Information Regulator and the data subject of the data breach “as soon as reasonably possible,” unless the identity of the data subject cannot be established.  It is therefore crucial that organizations ensure that they have an effective data security incident protocol in place, which will allow them to comply with the breach notification obligations under POPIA, and avoid falling under additional scrutiny.

Step 4: Review the Organization’s Existing Data Transfer and Outsourcing Arrangements

POPIA generally applies not only to organizations that process personal information in South Africa, but also to any person or company that processes personal information on behalf of the organization – commonly referred to as a “processor.”  POPIA also applies to organizations outside of South Africa that process personal information in South Africa with the assistance of a third party (e.g., a channel partner, or outsourced service provider).  Where any processing of personal information is outsourced by an organization, it must, in terms of a written contract between it and the processor, ensure that the party processing personal information on the organization’s behalf establishes and maintains appropriate security measures as prescribed under POPIA.

POPIA contains a general prohibition on cross-border transfers of personal information.  However, this prohibition is subject to numerous exceptions, including: (1) where the data subject consented to the transfer; (2) the transfer is necessary for the performance of a contract between the company and the data subject; (3) the transfer is necessary for the conclusion or performance of a contract between the company and a third party that is in the interest of the data subject; or (4) the transfer is for the benefit of the data subject.  Where personal information is being transferred to a third party outside of South Africa, the company must ensure that the recipient of the personal information is subject to a law, binding corporate rules, or binding contract which provide an adequate level of protection that effectively upholds POPIA’s principles for reasonable processing, and that include provisions substantially similar to the conditions for the lawful processing of personal information, and for the further transfer of personal information under POPIA.

Step 5: Deliver POPIA Awareness Training

POPIA awareness training is a not only a valuable tool for organizations to promote compliance, it is also a requirement under the POPIA Regulations.  The Information Officer must ensure that awareness sessions are conducted regarding the provisions of POPIA, the POPIA Regulations, codes of conduct (where applicable), as well as any information that is obtained from the Information Regulator from time to time.

This post can also be found on CovAfrica, the firm’s blog on legal, regulatory, political and economic developments in Africa.

Print:
EmailTweetLikeLinkedIn
Photo of Deon Govender Deon Govender

Deon Govender focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of renewable energy and thermal power projects and various other infrastructure…

Deon Govender focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of renewable energy and thermal power projects and various other infrastructure assets in the transportation and telecommunications sectors. Mr. Govender’s experience additionally includes advising on financing independent power producer projects under the South African government’s Renewable Energy Independent Power Producer Procurement Programme.

Photo of Kgabo Mashalane Kgabo Mashalane

Kgabo Mashalane is a South African qualified lawyer in the anti-corruption and compliance practice, with experience advising on market entry considerations, research on anti-corruption and bribery in Senegal, Mauritania, and Ghana. She has advised international clients on lobbying compliance laws in South Africa…

Kgabo Mashalane is a South African qualified lawyer in the anti-corruption and compliance practice, with experience advising on market entry considerations, research on anti-corruption and bribery in Senegal, Mauritania, and Ghana. She has advised international clients on lobbying compliance laws in South Africa in interactions with members of government, parliament, and other authorities. She also has experience working on infrastructure and renewable energy projects and corporate transactions across Africa and the Middle East, having practiced in the project finance and development practice at Covington. Ms. Mashalane’s experience includes corporate transactions (including mergers and acquisitions) relating to the international energy and infrastructure projects and advisory experience in the financing of transport in South Africa.

Photo of Benjamin Haley Benjamin Haley

Ben Haley leads the firm’s compliance and investigations practice in Africa. With deep experience representing clients before U.S. regulators in high-profile matters and a history operating on the ground across the continent, he helps clients assess and mitigate complex legal and compliance risks…

Ben Haley leads the firm’s compliance and investigations practice in Africa. With deep experience representing clients before U.S. regulators in high-profile matters and a history operating on the ground across the continent, he helps clients assess and mitigate complex legal and compliance risks in Africa.

Clients often call upon Mr. Haley to assist in the resolution of complex government enforcement matters and commercial disputes. For more than a decade, Mr. Haley has handled complex government enforcement matters and internal investigations, with particular expertise in anti-corruption, anti-money laundering, fraud, and financial crime matters. He has guided clients across a range of industries to favorable outcomes in government investigations, as well as parallel shareholder litigation, insurance recovery matters, and employment disputes.

Photo of Ahmed Mokdad Ahmed Mokdad

Ahmed Mokdad is an associate in the firm’s compliance and investigations practice in Africa. As a seasoned investigative specialist with deep experience representing clients across various sectors, he regularly assists clients across the continent navigate and mitigate a broad spectrum of regulatory and…

Ahmed Mokdad is an associate in the firm’s compliance and investigations practice in Africa. As a seasoned investigative specialist with deep experience representing clients across various sectors, he regularly assists clients across the continent navigate and mitigate a broad spectrum of regulatory and compliance risks and challenges.

Adding to his on the ground investigative, regulatory and compliance advisory experience, Mr. Mokdad has also extensively advised on litigious matters and financial transactions. Mr. Mokdad has been involved in several high profile litigious matters and international arbitrations relating to, amongst others, tax disputes and exchange control violations, corporate and commercial disputes, public procurement and white collar crime. He regularly performs risk and compliance program assessments, third-party risk due diligence, advising on pre-acquisition diligence and post-acquisition integration.

Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.

We and the third parties that provide content, functionality, or business services on our website may use cookies to collect information about your browsing activities in order to provide you with more relevant content and promotional materials, on and off the website, and help us understand your interests and improve the website. Privacy Policy

AcceptReject