top of page

Grace period for PoPI compliance nearly over - Data protection milestone in South Africa

Company executives must act swiftly, the grace period for compliance to the Protection of Personal Information Act (PoPI) is nearly over. For the first time, the South African National Assembly voted in favour of the appointment of the Information Regulator for PoPI.

Parliament voted for the five nominated candidates to run the newly-formed office of the Information Regulator and will now be referred to the Minister of Justice and Correctional Services.


The PoPI Act will hold organisations liable for the safety of their information. Companies could face increased data protection and disposal costs, massive fines, civil claims and reputational damage claims if they fail to upgrade information technology security systems ahead of the implementation of the Act.


Xperien CEO Wale Arewa is excited by this decision, he says it impact both the consumer and the economy positively. “It will force companies to change their processes to ensure that the personal information and data they collect is protected.”


“The small guy whose rights have been violated by data breach will now have recourse to take on corporate companies. This was previously unthinkable, considering the cost implications of putting together a case for high court litigation. Many aggrieved consumers have resigned to the bully tactics of cavalier corporate companies,” he explains.


The new regulations will make it easier and less risky for multinationals to do business in South Africa. Many have resisted doing business due to a lack in data protection laws, that could leave them exposed to data breach and it dire consequences.


"Company executives responsible for IT asset management need to understand the principles of IT Asset Disposal (ITAD) and they need to consider regulatory compliance and the protection of company information. IT disposal has legislative requirements, compliance to PoPI," he says.


Arewa suggests the PoPI Act will have serious consequences in the near future. “It won’t be long before we start reading about companies that have been fined for non-compliance and this in turn will encourage other companies to adopt the principle of ITAD, which will ultimately protect companies from reputational loss.”


Not only is the introduction of mandatory protection of personal data a huge challenge for companies, but now organisations are being prompted to rethink how they approach the reuse, recycling or recovery of their eWaste.


"The office of the Information Regulator will determine whether Government and business respect the privacy rights of data subjects or not,” he concludes.

Fog and Nature