The Protection of Personal Information Act 4 of 2013 (“POPIA”) has been signed into law and businesses have a grace period until 1 July 2021 to ensure that they become compliant, or face potentially severe consequences. This deadline is now fast approaching.
POPIA requires every public or private body who processes personal information to designate and appoint an individual who will be responsible, within that business or institution, for ensuring compliance with POPIA and being responsible for the governance, management and security of personal information. These persons are known as information officers and must be registered with the Information Regulator.
On 1 April 2021, the Information Regulator published a Guidance Note on information officers and deputy information officers in order to assist businesses with the process and requirements regarding the appointment of these persons. What is of particular importance is that the process to register information officers will commence on 1 May 2021.
The Guidance Note also provides that an information officer may designate one or more deputy information officers, as may be necessary. For private bodies, the information officer is designated as the executive head of the responsible party. This person, usually the CEO or Managing Director, may then delegate any power or duty imposed on him/her to a deputy information officer, who may assist with carrying out and being responsible for these compliance and data governance functions.
In terms of the Guidance Note, businesses must register their designated Information Officer by either completing the online registration process on the Information Regulators’ online portal, which is expected to be accessible from the end of April 2021, or in the alternative, by manually completing the registration form as attached to the Guidance Notes and submitting this via electronic mail or by delivery to the Information Regulators offices.
It is important that businesses register the designated persons with the Information Regulator as soon as reasonably possible after the registration process commences, and that these persons form an integral part of the team responsible for engaging the POPIA compliance journey.
It is advisable that businesses and organisations obtain the legal advice of POPIA specialist attorneys in order to ensure that the correct compliance framework and procedures are put in place to become POPIA compliant before the grace period for compliance comes to an end and to appropriately advise information officers and their deputies.