Skip links

POPIA – July 1st Deadline Approaches For New South African Data Protection Act

Data protection acts are regularly coming into force around the world and on July 1st 2021 it is the turn of South Africa, as the POPIA (Protection of Personal Information Act) will be enforced from that date.  I caught up with David Luyt, Privacy Counsel at Michalsons in Cape Town to discuss what this means for South African consumers, businesses and IT teams.

Nigel: Must my organisation comply with POPIA?

David: Essentially, if you are domiciled in South Africa or you process personal information in South Africa, then you need to comply with POPIA. POPIA, unlike the GDPR, does not apply extraterritorially. Meaning that it only applies to organisations in South Africa.

Nigel: How can I find out more about the POPI Act?

David: Knowledge is Power. Having a high-level awareness of POPIA is crucial in helping you decide what your next steps are going to be. To learn more about the impact of POPIA on your organisation, take the Michalsons’ complimentary impact assessment for your specific organisation, read our insights on it, or watch our video.

Nigel: Who is the right person to be responsible for this?

David: Every organisation has an Information Officer by default and they are responsible for ensuring that the organisation complies with POPIA. However, the whole organisation needs to understand its responsibilities. Any employee that handles personal information, all systems that store and process that information and all 3rd party and cloud providers that are part of that data processing need to be reviewed and understand their responsibilities.

Nigel: What is the impact on my organisation?

David: You need to know the impact of POPIA on your specific organisation so that you can decide what the next best steps are.

Complying with POPIA is not a case of one size fits all. Different organisations need to take different actions to comply. For example, what a small enterprise (or SME) has to do is very different from what a medium or large-sized organisation has to do.

An organisation’s actions are also dependant on the foundations already built to protect personal information. Some organisations may have many safeguards in place while others are new to the issue.

Nigel: What are my organisation’s next steps?

David: At Michalsons we believe that data protection is like personal fitness – it takes time to get fit! To learn more, have a look at our top tips for data protection projects. And if you’re wondering ‘how much does data protection compliance cost?’ then we have the answer for that too!

Nigel: Which departments seem to need the most help understanding POPIA?

David: It would be unfair to single out a single group or department, but the adage “you cannot manage what you cannot see” is very true in this situation.  Every organisation needs to know where its personal data is kept, how it is handled and make sure that all employees recognise the importance of the Act.

A lot of initial work falls to the IT department to find all the current data on employees, business partners and clients and to ensure that this data is kept secure – whether inside or outside the organisation.

As we discussed in our joint webinar, this includes reviewing all outsourcing and cloud services – when you share or pass data to other organisations you are STILL responsible for everything that happens to that data, so you need to review these providers and put in appropriate measures to make sure that the data handling policies are designed to conform to the Act.

Your document on mapping POPIA to Cloud Computing has some good ideas for IT people to review – and not just for cloud, but all data handling should be reviewed in a similar way.

Nigel: Thank you for your time.

David: My pleasure.