It’s been 7 years since the partial enactment of South Africa’s Protection of Personal Information Act (POPI Act) and 17 years since the process first started.

In 2013, certain sections of the Act were signed into effect – specifically the sections required to establish a regulatory body and begin drafting the regulations and codes of conduct.

Since then, Adv Pansy Tlakula, head of the information regulator, has appointed her team, written draft regulations and completed the process of getting public comment.

Now the regulator has appealed to the country’s president to bring the full Act into effect before the end of the quarter.  If successful, this will mean an April 2020 start date. It is expected that there will be a grace period of 12 months in which organizations will need to ensure that their data privacy and protection processes, policies and practices adhere to the law.

Why such a delay?

The wheels of legislation move slowly in South Africa. The Act may have been partially enacted in 2013, but it took until December 2016 for the appointment of the information regulator to become official.

Francis Cronje, an infosec specialist and contributor to the POPI Act, was quoted in an article on ITWeb saying that budgetary constraints are likely to be a major factor in the delay of implementation. He also goes on to list what the regulator has had to achieve in the space of 3 years.

It should  be noted that the POPI Act is not the only information protection act that sits with the regulator. The enforcement of the Protection of Access to Information Act (PAIA) which was enacted in 2001, (way before the regulator was established) is also part of their portfolio.

South African notable data breaches

The Regulator has played an unofficial role in investigating and mediating a number of data privacy incidents, despite not yet having the legal ability to fine or prosecute offenders.

Law firm, Michalsons, provides this list of notable data breaches that have occurred recently in South Africa, also stating that, although the regulator can investigate, they are effectively toothless when it comes to imposing penalties on the responsible parties.

Adding to this, is the recent breach that exposed personal information of about 1.7 million Nedbank customers. The information, which included names, ID numbers, and physical/email addresses, was breached via a third-party  print provider. Fortunately, according to Nedbank’s official statement, no bank systems or client accounts were compromised, however, the affected individuals have been warned of the risk of identity theft.

After so many years, is the POPI Act now out of date?

The POPI Act was modeled on the EU’s GDPR, which came into effect in May 2018.

For such a wide-reaching regulation, that must cater to many EU members and support each country’s data privacy laws, there have been surprisingly few amendments to the original.

Also considering that the regulations adopted by the UK post-Brexit (UK-GDPR) are materially the same as the EU-GDPR, we can assume that the fundamental premise of the POPI Act continues to be relevant.

Read more about what the track record of the GDPR’s first year, and what this tells us to expect