Concerns over the implementation and enforcement of the Protection of Personal Information Act No. 4 of 2013 (“POPIA”) persist as the Information Regulator awakens.
POPIA officially came into force on 1 July 2020, initiating a one-year grace period ending 1 July 2021. During this period, all entities operating within South Africa were expected to align their practices and operations with the requirements of POPIA. POPIA has established an electronic platform via a website to create an interface to facilitate a company’s compliance with POPIA (“Portal”), including the registration of an Information Officer for each company and the submission of annual reports.
However, the Portal has been marred by difficulties, with the Information Regulator advising applicants to resort to manual applications for required submissions under POPIA.
Many people had to undergo the inconvenience of manual registration of Information Officers, only to be left in a state of uncertainty as they awaited a response from the Information Regulator. Notably, it came to light that numerous manual applications were not properly registered. Consequently, Information Officers are now required to “re-register” on the functioning Portal.
Frustrations grew as reports of alleged POPIA violations, and a perceived lack of implementation and enforcement. However, the recent action taken by the Information Regulator against the Department of Justice and Constitutional Development (“DOJ&CD”) as a result of a security compromise of the DOJ&CD in September 2021 which disrupted public service and led to the loss of approximately 1204 files containing personal information, has raised concerns amongst individuals and businesses, prompting them to take their own precautionary measures in ensuring compliance with POPIA. The Information Regulator issued an enforcement notice to the DOJ&CD which outlined various corrective measures that the DOJ&CD must undertake to rectify its non-compliance. In the event of non-compliance, the DOJ&CD may face significant consequences, including possibility of an administrative fine, which can amount to a maximum of ZAR10 million or imprisonment between a year to ten years in jail.
These strict penalties underscore the seriousness with which the enforcement of POPIA must be regarded.
The malfunctioning of the Portal resulted in registration deadlines being revised without imposing penalties for non-compliance. However, the importance of adhering to POPIA has garnered increased attention in light of the latest extended deadline for compliance, which is now set for 30 June 2023. The deadline applies to information officers and heads of private bodies who are required to submit their section 32 and section 83(4) reports (“Reports”) to the Information Regulator, in accordance with the provisions of the Promotion of Access to Information Act No. 2 of 2000 (“PAIA”).
Failure to comply with the registration requirements and subsequent reporting obligations as stipulated by POPIA can have severe consequences for both businesses and individuals. Non-compliance may result in administrative fines of up to ZAR10 000 000, criminal penalties, civil liability, and the imposition of remedial measures. These consequences serve as strong incentives for businesses to prioritise compliance with POPIA. It is crucial for businesses to understand their obligations, register an Information Officer, and establish effective data protection measures to avoid these potential repercussions.
As the Information Regulator begins to awaken from what appeared to be a dormant state, it is crucial for all stakeholders to prioritise compliance with POPIA. MJD Law is actively assisting clients with their registration and reporting obligations. We understand the potential risks and penalties associated with non-compliance, and we are committed to ensuring our clients’ adherence with POPIA.
In conclusion, as the deadline for registration on the Portal and submission of the Reports pursuant to PAIA with the Information Regulator looms, it is essential for everyone to take the necessary steps to comply with POPIA. A vigilant and proactive approach to protecting personal information not only ensures legal compliance but also fosters trust and confidence in the handling of sensitive data.
To create your profile on the Information Officer Registration Portal, click here: https://registrations.inforegulator.org.za/sign-up alternatively contact us on [email protected] for further assistance.