ITWeb recently printed an article titled Regulatory quagmire awaits SA’s IT businesses which provides, inter alia, some idea of what we can expect in terms of the roll out of the Protection of Personal Information Act (POPI).
Law firm Michalsons believes that in 2017, data protection compliance will become more urgent. This is because of the imminent Protection of Personal Information Act (POPI) – SA’s data protection law.
The POPI Act was signed by the president on 19 November 2013 and published in the Government Gazette on 26 November 2013. On 10 May 2016, the Portfolio Committee on Justice and Correctional Services shortlisted five candidates for the office of Information Regulator.
In October last year, a government statement confirmed the appointment of Pansy Tlakula as full-time member and chairperson of the Information Regulator.
According to Michalsons, the general data protection regulation grace period enters its second and final year, and the law firm expects POPI to commence by 24 May 2017 with a one-year grace period.
“This will mean that by 24 May 2018, you must comply with these privacy and data protection laws, whichever applies to you,” says John Giles, a legal advisor at Michalsons. “There is no time to lose and much of the hard work needs to be done in 2017, especially the implementation action items.”
He urges organisations to pay attention to outliers in different jurisdictions that could cause them problems or have additional data protection requirements.
Wayne Clarke, MD of Metrofile Records Management, points out that realistically, South African businesses should already have started their POPI implementation processes, in order to ensure compliance by the cut-off date.
“Converting any company’s records and information systems to reach a state of compliance is a long and expensive process, which is why organisations realistically require a multi-year time frame. That said, it is not impossible for a company to reach a state of compliance within 12 months,” says Clarke.
The RDR status update published in December 2016 refers to requirements in the Long- and Short-term Insurance Acts relating to data management and access of client information to both product providers and intermediaries.
This nothing new – A few years ago we saw FSB Enforcement Department action to the tune of an R80 000 fine, later reduced to R50 000, for failure by a FSP to “…take adequate steps to obtain proper authorization from the owner of the insurance policies…” before disclosing personal information to a third party.
The Merriam-Webster dictionary defines “quagmire” as a “difficult, precarious, or entrapping position”. In the context of what is happening on the regulatory front, I believe that this term is a euphemism.
At the rate we’re going, black hole would be more appropriate.