June 22, 2020


Data is the oil, some say the gold, of the 21st century — the raw material that our economies, societies and democracies are increasingly being built on . . .”    -   Joe Kaeser (CEO of Siemens, 2018)

The Covid-19 pandemic and the resultant national and regional lock-downs the world over have, never more in human history, made businesses reliant on all forms of electronic communication and data processing. The surge in national and international data traffic over the internet, VPNs and other networks through an array of telephone lines, fibre links, under-sea cables and satellites makes us realise that now, more than ever, “in a digital economy, data, like oil, is more valuable than ever with huge rewards”.

It is against this backdrop that on Monday, 22 June 2020, President Cyril Ramaphosa announced that additional provisions of the Protection of Personal Information Act, 2013 (“POPI”) will come into force in July 2020 (and June 2021), giving the Information Regulator in South Africa its first real powers to protect consumers, and businesses much to get done to be fully compliant in the coming months. Since April 2014, certain provisions of POPI have been implemented on an incremental basis, including the appointment of the Chairperson of the Information Regulator in 2016, and the publication of regulations relating to POPI by the Information Regulator in December 2018.

The following sections of POPI will now come into effect on 01 July 2020:

  • sections 2 to 38 – which include the provisions dealing with the conditions for the lawful processing of personal information and the provisions relating to the exemption from conditions for processing of personal information;
  • sections 55 to 109 – which include prior authorisation for processing of personal information, codes of conduct, rights of individuals in respect of direct marketing, transborder information flows, enforcement provisions and offences and penalties;
  • section 111 – which relates to fees in terms of POPI;
  • section 114(1), (2) and (3) – which provides for a compliance period of 1 year before full POPI compliance is mandatory. This means that all businesses will have to ensure that they are fully POPI compliant no later than 01 July 2021. Business should, of course, endeavour to be fully POPI compliant as soon as possible in the circumstances.

In addition, sections 110 and section 114(4) become effective on 30 June 2021 to allow the amendment of laws and the effective transfer of functions of the Promotion of Access to Information Act, 2000 from the South African Human Rights Commission to the Information Regulator.

If you need any assistance preparing your business through the likes of awareness training, conducting gap assessments and planning for the implementation of a comprehensive privacy programme, please do not hesitate to contact our Corporate and Commercial Department.