Author:  Melanie Coetzee
Compliance, Legal and Training Solutions
31 March 2021

Keeping track with the Information Regulator and the speed at which the POPIA Privacy rules are getting activated

Have you appointed your Information Officer yet?
Has your organisation applied for Prior Authorisation to continue collecting and using clients’ data?

Most businesses are aware of their obligation to develop and implement a POPIA Privacy Policy by no later than 1 July 2021 since the Protection of Personal Information Act 4 of 2013 becomes fully operational then.

However, many businesses are unaware of the preliminary requirements implemented by the Information Regulator on 22 February 2021 when it published a notice in terms of which:
1. Regulation 4 related to the appointment of the business’s INFORMATION OFFICER would become effective on 1 May 2021. In practical terms, this means that:
• All organisations who collect and process client data must have appointed its internal Information Officer by then;
• The Information Officer must already have started the process of developing the organisation’s Privacy rules and started drafting the Policy document;
• The Information Officer must also have started arranging internal training sessions within the organisation in order that all employees are adequately educated.    [22 February 2021 IR Notice – link below]

2. Regulation 5 related to INDUSTRY CODES OF CONDUCT became effective from 1 March 2021. Again, in practical terms, this means that:
• Industry representatives can now apply to the Information Regulator for the issuing of industry specific POPIA Codes of Conduct in the prescribed form and according to the prescribed rules and that these must be submitted by 30 April 2021.   [Regulations 4 and 5 – link below]


In addition, the Information Regulator further published a notice on 11 March 2021 in which it sets out the process for obtaining Prior Authorisation from the Regulator’s offices in the event that the organisation collects and processes personal information:
1. Which is collected specifically as unique identifiers of the organisation’s data subjects-
a) for a purpose other than the one for which the identifier was specifically intended at collection; and
b) with the aim of linking the information together with information processed by other responsible parties;
2. Criminal behaviour or on unlawful or objectionable conduct of data subject on behalf of third parties;
3. Credit reporting; or
4. Transfer of the special personal information or personal information of children, to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information.
In practical terms, the Information Officer of the organisation must assess the purposes and usage of personal information collected from the organisation’s client base and once it is decided that the clients’ personal information falls within any of the above categories, the Information Officer must submit the prescribed application for Prior Authorisation to continue collecting and using clients’ information for future transactions. These applications must have been submitted by 1 July 2021.
[11 March 2021 – InfoRegSA-Invite-PriorAuthorisation-20210311 – link below]


With regards to the review of Whatsapp’s updated terms and conditions which was launched by the Regulator in January 2021, a follow up notice was published on 3 March 2021 and in terms of which report, the Regulator expressed its concern about the usage of telephone numbers by Whatsapp and commented that European Union Whatsapp users were set to enjoy better protection of their personal data as opposed to South African users.   [WHATSAPP FOLLOW UP 3 MARCH 2021 – link below]

When it comes to choosing your professional Compliance partner to guide and assist your organisation professionally, be discerning in your pick. The POPIA rules and Regulations are being flung into operation faster than the July 2021 date and action is needed in order to keep up with all the legal requirements.

Protection of people’s data is a major issue in the world at present and will remain a focus here in South Africa. It is therefore advisable to get your house in order to avoid facing complaints and possible fines.

The original article can be viewed here:

MC – Melanie Coetzee:  Compliance, Legal and Training Solutions:
How can we help
Having an independent, experienced legal practitioner available as a consultant when dealing with difficult and complex transactions will benefit not only you but also your clients. Questions often arise when deals are negotiated and we offer immediate advice and support in order to assist you in negotiating your deal effectively. The same availability and dedication ensures that your organisation’s Compliance issues receive the necessary attention which in turn reassures your employees, agents and clients. With our dedicated applied training sessions, your business will have an advantage in the industry.

email address:
Call Me:  082 564 9241

Links to this article:
22 February 2021 IR Notice