The Protection of Personal Information Act 4 of 2013, better known as “POPI” (or “POPIA” to use the Information Regulator’s preferred acronym) has been pending final commencement since its first sections were commenced in 2014.
Over the last few years I have been advising clients that we expect final commencement to happen within the next six months to a year. I ended up giving the same estimate for several years running.
However, the day has finally dawned: the President has announced the commencement dates for the remaining sections of the Act, and so we finally have a firm sense of the timelines involved.
The previously commenced sections allowed for the establishment of the Information Regulator, and empowered the minister to promulgate regulations – the initial house-keeping necessary for the rest of the Act to be brought into force. Now this latest proclamation brings the rest of the Act into force.
The proclamation indicates the 1st of July 2020 as the date of commencement of the bulk of the remaining sections. Anyone processing personal information in South Africa will have one year in which to become compliant with the Act.
A few remaining sections will only commence a year later on the 30th of June 2021. The reason for this delay is that several other Acts that are amended by POPI but must remain in their current forms until POPI is fully in force, which will only happen once the grace period described above has lapsed.
Note that the one year grace period can be extended by the Minister for particular classes of information or bodies processing that information. This extension can be for periods of up to a further three years. We would not recommend relying on any extension being given, however, and would strongly advise all our clients to become POPI compliant by no later than the 30th of June 2021.
If you require any assistance with POPI compliance, or just a briefing session for your staff, please contact the writer.