POPI: An Existing Risk, a Right Royal Ruckus, and the EU Deadline

When will the enforcement provisions of the Protection of Personal Information Act (“POPI” or “POPIA”) come into effect? Latest indications are that the Information Regulator will announce final Regulations and a commencement date shortly, but there have been so many delays already that we perhaps shouldn’t be holding our breath on that one.

Three important things to note here –

  1. Once the enforcement provisions are in effect you will have a one year grace period before compliance is obligatory. After that date, any unlawful processing of personal information will cost you dearly,
  2. Even for smaller businesses compliance will be a time-hungry affair – hence the many warnings against leaving it to the last minute,
  3. Even before POPI is fully effective you are at risk if you don’t safeguard personal information. 

The King and the leaked sales call

To illustrate that risk –

  • An insurance company employee phoned King Goodwill Zwelithini, King of the Zulu Nation, to offer him cheap insurance premiums. The employee called the King by his first name – a great insult.
  • The employee’s profuse apologies (once informed of his blunder) apparently went at least some way to repairing the damage, but then a recording of the call found its way onto social media. That, it seems, was the last straw, and the King is reportedly now about to sue the company for damages.
  • The really interesting part is the Information Regulator’s response. It issued a formal media statement to the effect that it is engaging with the insurer about what “processes and measures they have put in place to comply with the conditions for lawful processing of personal information as prescribed in POPIA”. Of course the Regulator cannot yet handle this matter officially in terms of  POPI (nor can it officially address any of the many complaints relating to direct marketing already lodged with it), but it sounds as though an unofficial “rap over the knuckles” is in the offing if any unlawful processing of information indeed took place.
  • The negative publicity generated in the media and the potential damages claim could well be the insurer’s bigger headache at the moment.

Europe’s 25 May Deadline – Must You Comply?

If you offer goods or services in or to the EU, you must, even if you are based here and not in Europe, comply by 25 May with the EU’s GDPR (General Data Protection Regulation). Take advice on the specifics – although it resembles POPI in many respects, there are key differences.  Plus you risk severe penalties for contravention – fines up to €20 million or 4% of your annual worldwide turnover.