In Episode 12 of our Inside Privacy Audiocast, together with special guest Advocate Pansy Tlakula, Chairperson of the Information Regulator of South Africa, we discussed the Information Regulator’s mandate and the implementation of data protection legislation in South Africa.  Now, with less than a month to go before South Africa’s Protection of Personal Information Act, 2013 (“POPIA”) takes full effect on July 1, 2021, it is critical for organizations operating in South Africa to ensure that they are ready, if and when the Information Regulator comes knocking.

It is only when organizations start their POPIA journey that they realize just how wide the POPIA net is cast, and that very few businesses fall outside of its reach.  The road to POPIA compliance should be viewed as a marathon, and not a sprint.  While implementing and maintaining an effective POPIA compliance program will take continued effort and resources well beyond the July 1, 2021 go-live date, here we outline five steps to which companies subject to POPIA should give their attention in the short term.

Step 1: Identify and Appoint an Information Officer

POPIA provides for a similar role as the GDPR’s data protection officer in the form of an “Information Officer.”  Organizations subject to POPIA must identify an Information Officer who will be responsible (and who may be held personally liable) for, among other things, all of the organization’s data protection compliance requirements, working with the Information Regulator, establishing policies and procedures, and ensuring POPIA awareness and compliance training.

Under POPIA, the “head” of the organization (i.e., the CEO, managing director, or “equivalent officer”) is automatically deemed the organization’s Information Officer; however, the organization can “duly authorize” another person in the business (at management level or above) to act as Information Officer.  Similarly, the organization can designate one or more employees (also at management level or above) to act as “Deputy Information Officers” to assist the Information Officer perform his or her responsibilities.  Both Information Officers and Deputy Information Officers must be registered with the Information Regulator before the end of June 2021, via the Information Regulator’s Online Registration Portal, or by submitting the downloadable Manual Registration Form to the Information Regulator.

Step 2: Review the Organization’s Marketing Practices

While many organizations may not consider themselves to be engaging in so-called “direct marketing” practices, this concept is broadly defined in POPIA to include “any approach” to a data subject “for the direct or indirect purpose of […] promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject […].”  POPIA provides data subjects with certain rights with respect to unsolicited “electronic communications” (i.e., direct marketing by means of automatic calling machines, fax machines, SMSs, or emails).  The processing of a data subject’s personal information for the purposes of direct marketing is prohibited, unless the data subject has consented to the processing, or the email recipient is an existing customer of the organization.

In practical terms, organizations must obtain a data subject’s details through the sale of a product or service, and the marketing should only relate to similar products or services of the organization.  The data subject must be given a reasonable opportunity to object to the use of their personal information for marketing each time the organization communicates with the data subject for marketing purposes (i.e., recipients must be able to “opt out” at any stage).  Potential new customers can only be marketed to with their express consent (i.e., on an “opt-in” basis).

Step 3: Review the Organization’s Security Measures Aimed at Protecting Personal Information, and Understand What Steps Must Be Taken in the Event of a Data Breach

POPIA obliges organizations to take appropriate technical and organizational measures to safeguard the security and confidentiality of personal information – aimed at preventing any loss, damage to, or unauthorized destruction of personal information, including measures to prevent unlawful access to, or processing of personal information under the organization’s control.

There is a general data breach notification obligation under POPIA.  Where there are reasonable grounds to believe that a data subject’s personal information has been accessed or acquired by an unauthorized person, the organization, or any third party processing personal information under its authority (e.g., an outsourced payroll service provider), must notify the Information Regulator and the data subject of the data breach “as soon as reasonably possible,” unless the identity of the data subject cannot be established.  It is therefore crucial that organizations ensure that they have an effective data security incident protocol in place, which will allow them to comply with the breach notification obligations under POPIA, and avoid falling under additional scrutiny.

Step 4: Review the Organization’s Existing Data Transfer and Outsourcing Arrangements

POPIA generally applies not only to organizations that process personal information in South Africa, but also to any person or company that processes personal information on behalf of the organization – commonly referred to as a “processor.”  POPIA also applies to organizations outside of South Africa that process personal information in South Africa with the assistance of a third party (e.g., a channel partner, or outsourced service provider).  Where any processing of personal information is outsourced by an organization, it must, by way of a written contract between it and the processor, ensure that the party processing personal information on the organization’s behalf establishes and maintains appropriate security measures as prescribed under POPIA.

POPIA contains a general prohibition on cross-border transfers of personal information.  However, this prohibition is subject to numerous exceptions, including where: (1) the data subject has consented to the transfer; (2) the transfer is necessary for the performance of a contract between the company and the data subject; (3) the transfer is necessary for the conclusion or performance of a contract between the company and a third party that is in the interest of the data subject; or (4) the transfer is for the benefit of the data subject.  Where personal information is being transferred to a third party outside of South Africa, the company must ensure that the recipient of the personal information is subject to a law, binding corporate rules, or a binding contract, which provide an adequate level of protection that effectively upholds POPIA’s principles for reasonable processing, and that include provisions substantially similar to the conditions for the lawful processing of personal information, as well as for the further transfer of personal information under POPIA.

Step 5: Deliver POPIA Awareness Training

POPIA training and awareness-raising is a not only a valuable tool for organizations to promote compliance, but also is a legal obligation under POPIA.  The Information Officer must ensure that awareness sessions are conducted regarding the provisions of POPIA, the POPIA Regulations, codes of conduct (where applicable), as well as any information that is obtained from the Information Regulator from time to time.

*           *           *

If you have questions about handling data privacy compliance matters, please contact Dan Cooper at dcooper@cov.com, Ben Haley at bhaley@cov.com, Deon Govender at dgovender@cov.com, Ahmed Mokdad at amokdad@cov.com, Shivani Naidoo at snaidoo@cov.com, or Kgabo Mashalane at kmashalane@cov.com.  This article is intended to provide general information.  It does not constitute legal advice.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Benjamin Haley Benjamin Haley

Ben Haley leads the firm’s White Collar and Anti-Corruption Practice in the Middle East and Africa and is a chair of the firm’s broader Africa Practice. With deep experience representing clients before regulators in high-profile white collar and disputes matters and a history operating on…

Ben Haley leads the firm’s White Collar and Anti-Corruption Practice in the Middle East and Africa and is a chair of the firm’s broader Africa Practice. With deep experience representing clients before regulators in high-profile white collar and disputes matters and a history operating on the ground in emerging markets, he helps clients assess and mitigate a wide range of complex legal and compliance risks.

Complementing his investigations and dispute resolution practice, Ben has a broad-based compliance advisory practice, helping clients proactively manage compliance risk in areas including anti-corruption, trade controls, anti-money laundering, fraud, and data privacy.

Ben represents corporate and individuals clients in a wide range of investigations and disputes, including:

  • Investigations under the U.S. Foreign Corrupt Practices Act (“FCPA”).
  • Investigations into anti-money laundering, financial crimes, anti-terrorism, and sanctions and export control issues.
  • Securities fraud and accounting matters.
  • Board investigations and shareholder litigation.
  • Insurance recovery.

Ben also regularly advises clients on a range of regulatory compliance and corporate governance issues. His compliance advisory practice includes:

  • Performing risk and compliance program assessments.
  • Leading compliance reviews on business partners and assisting companies with third-party risk management processes.
  • Conducting forensic accounting reviews and testing and enhancing financial controls.
  • Advising on market entry, cross-border transactions, and pre-acquisition diligence and post-acquisition integration.
  • Assisting companies in designing, implementing, and maintaining best-in-class compliance programs.

In recent years, Ben has steered a number of clients to successful resolutions and declinations in complex FCPA and corporate fraud matters with the U.S. Department of Justice and Securities Exchange Commission. In his advisory practice, Ben has served as lead compliance counsel on a number of major M&A and investment transactions. He has developed special expertise assisting clients in leveraging technology in their compliance programs, including assisting one of the world’s largest consumer goods companies in the design and implementation of an award-winning compliance data analytics and monitoring system.

Ben has been described by the Chief Compliance Officer of one of his clients as “[a]n outstanding senior lawyer and advisor,” and “a guiding light for all things compliance advisory in Africa,” whose “advice is crystal clear, covers all angles and is business friendly.”

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Deon Govender Deon Govender

Deon Govender is a vice chair of the Africa Practice Group. He focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of…

Deon Govender is a vice chair of the Africa Practice Group. He focuses his practice on project development and corporate and project finance transactions across Africa, with particular emphasis on southern Africa. His experience ranges from advising on the development and financing of renewable energy and thermal power projects and various other infrastructure assets in the transportation and telecommunications sectors. Deon’s experience additionally includes advising on financing independent power producer projects under the South African government’s Renewable Energy Independent Power Producer Procurement Programme.

Photo of Ahmed Mokdad Ahmed Mokdad

Ahmed Mokdad is an associate based in the Johannesburg office, and a member of the firm’s White Collar Defense and Investigations and Anti-Corruption Practice Groups, as well as the Privacy and Cyber Security Practice Group. With a depth of experience representing clients across…

Ahmed Mokdad is an associate based in the Johannesburg office, and a member of the firm’s White Collar Defense and Investigations and Anti-Corruption Practice Groups, as well as the Privacy and Cyber Security Practice Group. With a depth of experience representing clients across various sectors, Ahmed regularly assists clients navigate and mitigate a broad spectrum of regulatory and compliance risks.

Ahmed’s investigations practice includes internal and government investigations into anti-corruption, anti-money laundering, fraud, and financial crimes matters more generally. Complementing his investigations practice, Ahmed has a broad-based compliance advisory practice in these areas and in data protection and information security matters. This includes assisting clients in numerous sectors with compliance under South Africa’s Protection of Personal Information Act (POPIA).

Adding to his investigative, regulatory and compliance advisory experience, Ahmed has extensive experience advising on numerous M&A and complex financial transactions. He has also been involved in several high profile international arbitrations, and litigious matters before the South African courts relating to, among other things, commercial and tax disputes, exchange control violations, government procurement irregularities, and defending white collar crimes. This experience gives Ahmed valuable perspectives and insights when advising on compliance advisory matters.

For international clients facing compliance issues cutting into Africa, Ahmed regularly advises on a range of issues that can arise in such context, e.g., labor and employment considerations, legal professional privilege, whistleblower protections, corporate governance reporting obligations, and control processes and protocols for engaging with government and law enforcement agencies. Ahmed is recognized by clients for providing practical advice and solutions on complex legal issues in ambiguous statutory regimes.