In a January 2020 interview, the Chairperson of the Information Regulator, Pansy Tlaluka, indicated that her office has requested President Ramaphosa to sign the remaining provisions of POPI into full force by 1 April 2020. These provisions will establish the minimum requirements for lawful processing of personal information with which all private and public persons must comply, as well as the Information Regulator’s enforcement powers.

It is not certain that President Ramaphosa will sign POPI into full force by 1 April 2020, or at all this year. His office has not made any public announcements to indicate their intentions in this regard. The Information Regulator has recently been engaging with the President to increase her office’s budget to allow it to exercise its powers and duties under POPI which include monitoring and enforcing compliance, and presumably the commencement date depends on the outcome of these requests.

Once POPI comes into force, all public and private persons will have one year to comply with the provisions of POPI, and there can be substantive penalties for non-compliance.

Organisations should not underestimate how quickly the 12 months will pass because there is a lot to do.

Serious consideration has to be given to the personal information that the organisation processes, and how this creates risk from a reputational and commercial perspective. This can be efficiently managed through a POPI compliance audit by your internal or external advisors. Such an audit will identify risks or gaps which the organisation may not have been aware of. Awareness of the extent of the risks and the prevention action needed is the first step to identifying appropriate, practical and business suitable steps to mitigate the risks and ensure compliance with POPI.