Although parts of the POPI (Protection Of Personal Information) Act have technically been in force for some time already, the remaining (and most important) provisions have not yet been adopted.

Last week however, the Chairperson of the Information Regulator of South Africa indicated that her office had requested the President adopt the remaining provisions and finalise their promulgation into law on the 1st of April 2020.

Stricter Rules For Personal Information

Once these remaining provisions have the force of law, much stricter rules will be enforceable around how information is collected from clients, with whom it is shared, and how it is protected.

Companies will be required to heave policies in place regarding these issues, and consent will have to be voluntary, specific and informed. Rules governing your exposure to direct marketing will also be much stricter, and again, opting in will be a far more specific process than those usually in use at the moment.

International Privacy Standards

Around the world, countries have been improving their privacy standards for several years, with the flagship of course being the European GDPR, and the resultant UE-EU Privacy Shield Agreement, which was created to allow cross-border data dealings between the US and the EU.

The POPI Act is actually, in some senses, slighter stricter than the GDPR. For example, the GDPR requirements do not apply to company information, whereas in South Africa, POPI requires businesses to treat business information with the same privacy standard as personal information.

Compliance Period

Although the remaining provisions of the POPI Act are expected to be adopted soon, the Act does allow for a compliance period (generally 1 year) to allow companies to make the necessary changes to training, policy and procedures in order to comply fully with the requirement of the law.

But a year is a short time for big changes, so the sooner you start preparing to be POPI compliant, the better.

You can download a copy of the Act here: POPI Act