South Africa began enforcement of the Protection of Personal Information Act 4 on July 1, 2021. It went into effect July 2020 but gave companies a one-year grace period to comply. It’s also referred to as the POPI Act. The Act protects both physical and digital wireframes of data processed, stored, collected, or exchanged. It stresses consent but deviates from GDPR. In the 2019 guidelines, it states that certain industry bodies could apply for an exemption. The guidelines also require that a responsible party register its Information Officer with the Regulator before taking up his or her respective duties in terms of POPIA. Both these guidelines are open for the general public comment and once finalized, published in the Government Gazette. Companies face hefty fines and up to 10 years imprisonment for non-compliance.
Customers are more open to sharing their personal information with companies due to the enhanced data security measures put in place for companies to be POPIA compliant. In addition, companies are also benefiting by becoming POPIA compliant. In 2019 Cisco conducted a Data Privacy Benchmark study that reported that GDPR-compliant organizations have experienced advantages like streamlined business processes, boost in sales revenue and increased investor appeal.
The rights of data subjects are clearly defined in Section 5 of Chapter 2 and include:
POPIA may not protect personal information that is processed, stored, or collected in certain situations. Exceptions or exclusions are covered in Sections 6 and 7 of Chapter 2, and include personal information:
Details about consent of data to be processed, used, or collected is covered in Subsection 1 of Section 11 of Condition 2 (Processing Limitation) under Part A of Chapter 3. Consent otherwise refers to personal information to be processed only if: