South Africa’s POPIA rules have been updated ahead of the July deadline – what you should know

 ·22 Jun 2021

South Africa’s Information Regulator has confirmed that there will be no deadline for the registration of information officers and deputy information officers and that no responsible party will be held liable for not registering by 30 June 2021.

This decision follows technical glitches with the registration portal and numerous concerns raised by responsible parties regarding the registration process, the regulator said.

“The regulator is currently looking into alternative registration processes and will communicate this in due course.

“We understand that our portal malfunctioning has caused a lot of anxiety and panic and for that we really do apologise,” said chairperson of the Information Regulator, Pansy Tlakula.

She said that the registration of a chief executive officer as an Information Officer for multiple legal entities has been taken into consideration and it will be permissible.

The registration portal is currently being configured to accommodate these changes. When the registration portal has been updated it will be announced, Tlakula said.

POPIA still coming

“The Protection of Personal Information Act (POPIA) enforcement powers as promulgated by the president of South Africa in June 2020 will still be coming into effect as of the 1 July 2021,” Tlakula said.

“The Information Regulator had thus afforded responsible parties a one-year grace period to be compliant with POPIA.

“For responsible parties to be compliant with POPIA they are required amongst many actions to appoint and register their information officers with the Information Regulator and apply for prior authorisation before processing personal information.

“There has been an exponential increase for engagement from responsible parties with the Regulator as the POPIA enforcement powers draw closer and are less than ten days away.”

The regulator said it has extended the applications for prior authorisation in terms section 57 (1) subject to section 58 (2) to 1 February 2022.

Responsible parties must obtain prior authorisation from the Regulator prior to any processing of personal information where that responsible party plans to:

  • Process any unique identifiers of a data subject.
  • Process information on criminal Behaviour or on unlawful or objectionable conduct on behalf of third parties.
  • Process information for purposes of credit reporting.
  • Transfer special personal information or personal information of children to foreign countries that do not provide an adequate level of protection for the processing of personal information.

The Information Regulator as of 30 June will also be taking over the function of the Promotion of Access to Information Act (PAIA) from the South African Human Rights Commission (SAHRC).

Should the public require lodging a complaint, they may approach the Regulator to adjudicate, or they may approach the court directly.

Read: Can you meet the 8 conditions of POPIA before it becomes enforceable at the end of the month

Show comments
Subscribe to our daily newsletter