POPIA came into force on 1 July 2021, following a year-long grace period where entities were afforded the opportunity to become compliant.
In essence, POPIA provides a framework within which entities must lawfully process personal and special personal information. A failure to comply can result in entities facing severe monetary fines, criminal prosecution as well as reputational damage.
The Information Regulator was created in accordance with POPIA, it is a regulatory body that is empowered to monitor and enforce compliance by public and private bodies to ensure compliance with POPIA.
Despite a year having elapsed since the enforcement of POPIA and a number of large data and privacy breaches have taken place in recent times, we have yet to see the Regulator holding anyone to task for non-compliance.
One of the members of the Information Regulator, Advocate Collen Weapond, publicly stated that the Information Regulator over the past year has sought to both educate the public and create awareness. However, he went on to state that the Information Regulator is presently attending to assessments and investigations which may result in enforcement notices being issued and where non-compliance continues, levying fines against those who remain non-compliant.
The chairperson of the Information Regulator, Advocate Pansy Tlakula, has also cautioned responsible parties that the Information Regulator has been patient in assisting entities to become compliant with POPIA, but that the Information Regulator now has to exercise their powers and enforce compliance with the Act.
With this being said, and while there have yet to be prosecutions on the part of the Information Regulator, it is clear that we have seen a shift in data protection by entities which was necessitated by the enforcement of POPIA.
In addition, it has become apparent in recent case law that personal information is becoming a consideration to courts. In the case of Bool Smuts and Another v Herman Botha (887/20)  ZASCA 3, the SCA considered a person’s right to privacy where information had been published on Facebook, however, it was concluded that information already in the public domain cannot be protected under the constitutional or legislative rights to privacy.
We believe that the next year will see the Information Regulator cracking down on entities who are non-compliant and enforcing POPIA in accordance with its mandate. If you have not yet ensured your entity’s compliance with POPIA, or you seek guidance on your obligations in respect of data protection please do not hesitate to contact our offices. We are also willing to be of assistance to data subjects who feel that their personal information has been unlawfully processed.