“My retail business has an online store where we sell and deliver to South African clients. With POPIA looming we want to ensure that we comply with any specific industry requirements on how we must process information via our online store. Can you give guidance in this regard?”
Although the Protection of Personal Information Act (“POPIA”) was signed into law in 2013, to date not all provisions of POPIA have come fully into effect, with the coming into force of certain provisions dependent on the preparedness of the Information Regulator. The Information Regulator however recently requested the President to declare that the remaining provisions of POPIA commence on 1 April 2020, which would mean that if the President acts on the Information Regulator’s request, then the remaining provisions will take effect on 31 March 2021. With the current coronavirus pandemic, this has not yet happened, but may still happen soon.
POPIA essentially obliges responsible parties to act in a prescribed manner when processing personal information. To this end, POPIA empowers the Information Regulator to, either by its own initiative after consultation with the relevant stakeholders, or by application of a body, industry, profession or vocation, issue codes of conduct for how enterprises belonging to a specific body, industry, profession or vocation should comply with POPIA. This approach provides the option for a more detailed and specific approach to be taken by sectors and industries and so concretise specific measures or good practices for compliance in that sector or industry.
Importantly, these codes do not replace POPIA but are intended to operate in support of POPIA and explain how the relevant business will comply with POPIA in its specific context. The Information Regulator has recently issued a set of draft Guidelines on Drafting Codes of Conduct Issued Under the Protection of Personal Information Act, 2013 (Act No. 4 Of 2013) (“Guidelines”) to serve as an interpretative aid, to assist stakeholders in sectors and industries to develop codes of conduct.
The Guidelines provide guidance on what should be included in such codes of conduct as well as the process for submitting and having the Information Regulator approve a code of conduct. As the Guidelines are still in draft format, one must assume that for the moment there are no approved codes of conduct yet in force, although some sectors and industries are already involved in preparing codes of conduct for businesses in their sectors or industries.
Our advice is to make contact with the primary regulator of your specific industry or sector to hear if there is any guidance, albeit in draft form, available for your business to align itself with so long. If not, remember that your business will need to comply with POPIA so it may be worthwhile to seek help or advice to prepare your business for POPIA compliance. You can then later align your current practices with any future published code of conduct that may be applicable.