South Africa awaits implementation of personal data regulations

POPI legislation enactment expected soon with 12-month window for compliance.

The South African Protection of Personal Information (POPI) Act is expected to be implemented soon, giving companies a 12-month window to ensure that they are compliant. The legislation, which was approved by the President in 2013 but has not yet been enacted, will enforce strict guidelines on the collection and retention of personal data by companies. 

The recent appointment of POPI proponents, Pansay Tlakula, Lebogang Stroom, Johannes Weapond, Professor Tana Pistorius and Sizwe Snail Ka Mtuze, to membership of the Information Regulator  suggests that the implementation is imminent. 

Personal Information covered by the regulations include contact details, demographic information, history, biometric information, opinions and private correspondence. Companies will be obliged to only collect this information for specific purposes, take reasonable security measures to protect it, ensure it is relevant and up-to-date, only hold as much as is needed and only for as long as it is needed, and allow the subject of the information to see it upon request. 

The government hopes that this legislation will help companies to streamline their data and improve consumer confidence about the way their data is used. Companies that fail to comply with regulations may be faced with a fine and prison sentences of up to 12 months and in some cases, sentences of up to 10 years.

Information about the act and advice on how to ensure compliance can be found on the POPI Compliance website.