Category Legal Affairs

Non-compliance may bear severe consequences

13 September 2018 Myra Knoesen
Kerri Crawford, Privacy Lawyer and Senior Associate at Norton Rose Fulbright

Kerri Crawford, Privacy Lawyer and Senior Associate at Norton Rose Fulbright

Although a commencement date for the Protection of Personal Information Act (POPI) has not yet been announced, many organisations are operating as if it were already in force.

FAnews spoke to Kerri Crawford, Privacy Lawyer and Senior Associate at Norton Rose Fulbright about the strategies going forward, what is challenging, what positives and negatives are foreseen in the near future, with some practical suggestions.

Most common complaint

“Some organisations have implemented impressive POPI compliance programmes. Others are struggling to get their implementation programmes going. One of the most common complaints from POPI champions is not having the support of management,” says Crawford.

Does this sound familiar?

If this sounds familiar, Crawford provides some responses to a reluctant board:

“Some say, ‘We still have plenty of time.’ Once POPI does commence, organisations will have 12 months to become compliant. But depending on the nature and volume of personal information your organisation holds, 12 months may not be enough time to implement a full compliance project,” says Crawford. 

“Starting early will also enable you to work out the most efficient and cost-effective way to do so. For example, if agreements need to be amended, you may be able to do this during your ordinary review or renewal cycle,” continues Crawford. 

“Others say, ‘POPI is just more red tape and bad for business.’ POPI is not aimed at restricting business and should be applied practically. Most of the requirements involve common-sense measures that can be implemented relatively easily and will not have a detrimental impact on business. In fact, POPI can be good for business because it brings South Africa into line with international best practices on data protection,” emphasises Crawford. 

“This makes South African organisations more attractive to foreign companies who are restricted by their own legislation from sending personal information to jurisdictions where it is not adequately protected. Organisations with operations in the EU will also need to comply with the General Data Protection Regulation (GDPR), which contains a number of similar requirements to POPI,” says Crawford.

“Demonstrating compliance with POPI and the GDPR is attractive to customers who are becoming increasingly aware of their privacy rights,” continues Crawford.

“Some say, Who cares if we don’t comply with POPI?Non-compliance with POPI can have a severe impact on the bottom line. The act itself provides for civil claims for damages, criminal prosecution and administrative fines of up to R10 million. But the largest consequence of poor data protection practices is reputational. If customers can choose between an organisation which protects their information and one which doesn’t, the choice is obvious,” says Crawford.

Where do we start?

“The first step to POPI compliance is understanding what personal information your organisation has” says Crawford. “Remember that personal information doesn’t only apply to your individual customers or employees. Personal information is BREAK any information relating to an identifiable individual, or an identifiable juristic person such as a company. Every organisation handles personal information of various parties on a daily basis, including suppliers, corporate customers, shareholders and group companies.”

“You need to identify and document the life-cycle of personal information through your organisation - where you collect it from, why you have it, what you use it for, how you store it, who you share it with and when you get rid of it” continues Crawford. Only once this is done will you be able to conduct a gap analysis of your organisation’s personal information handling practices. Crawford says some things to consider are:

  • Do we have personal information that we don’t need, or are not lawfully allowed to keep?
  • Do the people whose personal information we have know that we have it and what we do with it?
  • How do we secure personal information?
  • When and how do we get rid of personal information?
  • What policies and procedures are in place regarding personal information? Do we monitor compliance with these?
  • Are our employees trained in how to handle personal information?”

“Proper awareness and training is one of the most critical components of data protection compliance” notes Crawford. “Comprehensive policies and watertight security protocols are useless if they are not followed.”

Editor’s Thoughts:
Why take the risk? Do not wait for the clock to start ticking because non-compliance may bear severe consequences. Have you commenced with preparations for the process? What has been challenging and what suggestions do you have? Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts

Comment on this post

Email Address*
Security Check *
Quick Polls


Do you think that the Singapore Central Provident Fund Model can be implemented in South Africa?


Yes, absolutely, what are we waiting for?
No, we have completely different challenges that we need to address
Why can we design our own model based on our own unique challenges
Forced preservation, in any form, will never work in South Africa
A E fanews magazine
FAnews June 2019 Get the latest issue of FAnews

This month's headlines

New realities of customer engagement
Success in the new CPD cycle
Shedding light on the reinstatement clause
Resisting the winds of change
Claim statistics tell the story
Growth assets for living annuity investors
Subscribe now