Request A Demo Login Now Sign up to DataGuidance Alerts DataGuidance DataPrivacy Index Cookie Consent Guide Data Protection Law & Policy Download a DataGuidance Brochure DataGuidance Videos


The transverse study performed by DataGuidance is particularly interesting and innovative as it enables one, at a glance, to obtain information on the obligations that lie with companies in terms of data breach in a large number of countries. Yet, very often, companies which are victims of a data breach are not subject to the breach in only one of the countries where they are set up, but in several countries. In such case, they must react extremely quickly notably in terms of informing control authorities if applicable. Having this transverse study, they will necessarily save precious time.
Florence Chafiol-Chaumont, Partner at August & Debouzy
RSS feed of this page Updated: 05/09/2013 
Sharing disabled by cookie consent preference.
Privacy This Week powered by DataGuidance

back to Privacy This Week

South Africa: New privacy law will have 'significant impact' on businesses

The South African Parliament passed - on 22 August 2013 - the Protection of Personal Information (POPI) Bill. POPI was introduced in August 2009 by the South African Cabinet and represents South Africa's first comprehensive data protection legislation. POPI is expected to come into force before the end of the year.

"[POPI] will, upon promulgation, impose a number of stringent obligations on all persons which in any manner process personal information", Simone Gill, Director of the Technology Media and Telecommunications Practice at Cliffe Dekker Hofmeyr, told DataGuidance. "It is expected to have a significant impact on the manner in which private and public bodies process personal information, [defined as] any information that identifies a natural or [legal] person."

POPI was drafted on the basis of the EU Data Protection Directive 95/46/EC (the Directive), and establishes eight data protection principles, which reflect EU, Canadian and Australian data protection models. Of particular note, POPI restricts cross-border data transfers unless the country to which the data is transferred provides a similar level protection of personal data. Under POPI, companies may adopt contractual clauses and binding corporate codes of conduct.

[POPI] is expected to have a significant impact on [how organisations] process personal information.

POPI will also introduce a mandatory data breach notification requirement. 'Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person', reads Article 21, 'the responsible party, or any third party processing personal information under the authority of a responsible party, must notify the Regulator; and data subject, unless the identity of such data subject cannot be established.'

POPI establishes the Information Protection Regulator (IPR) with investigatory and enforcement powers, including the power to impose fines of up to ZAR 10 million (approx. €740,200). POPI also imposes criminal sanctions of up to 10 years' imprisonment for obstruction of the activities of the IPR, and up to 12 months for other violation.

Once enacted, POPI will provide South African companies with a one-year grace period to bring their existing data protection processing practices in line with the legislative requirements. However, the Information Protection Regulator, once established, may extend this transitional period to a maximum of three years.

"As promulgation is now imminent, it is essential for all persons, including private and public entities, to initiate awareness workshops and to conduct detailed due diligence exercises in order to assess their current levels of compliance with [POPI]", said Gill. "[Businesses need] to determine which steps are to be taken to ensure compliance, failing which they may find themselves being subject to criminal sanction and civil liability. Although [POPI] does allow for a one year transition period, the obligations imposed are extensive and will take time and effort to implement."

To become law, POPI will need to be translated into Afrikaans and then signed by the President. It is expected to be enacted before the end of the year.

© 2015 Cecile Park Publishing Ltd. All rights reserved

Sharing disabled by cookie consent preference.

Other News

© 2016 Cecile Park Publishing Ltd. Privacy Policy | Terms and Conditions | Sitemap
Address: 17 The Timber Yard, Drysdale Street, London, N1 6ND, UK | Phone: +44 (0)20 7012 1380 | Email: