At long last the main provisions of POPIA (the Protection of Personal Information Act) have been gazetted, and they will commence on 1 April 2020. That means that the one year transitional period will expire on 31 March 2021.
Don’t panic just yet, and ignore the many “fake headlines” in the media implying that you are at immediate risk of non-compliance, but at the same time don’t leave this to the last minute! Preparing for compliance is going to be a time-consuming affair, almost all South African businesses will need to comply, and the penalties for not doing so will be very severe indeed –
- You risk administrative fines of up to R10m;
- You could face criminal prosecution (with up to 10 years’ imprisonment);
- You could be sued for millions by anyone whose data has been compromised, and this is an instance of strict liability” in that no “intent or negligence” on your part need be proved;
- The loss of trust and the adverse publicity resulting if your data breach goes public could be devastating.
In future issues we’ll let you have a lot more practical advice on how POPIA will affect your business, and on the steps you will have to take to protect yourself from the dangers of non-compliance, but for now get started with this first planning step: Ask yourself what personal information you hold, where you hold it, who has access to it, and how secure it is.