South Africa’s Data Protection Act comes into force

On July 1, 2020, South Africa’s Protection of Personal Information Act 2013 finally came into effect. The Act had been in planning for the last seven years, with parts of it already published in 2014, and will fully come into effect with oversight provisions in June 2021, allowing for a 12 months period to enable companies to become compliant with the new regulations.

Due to its long planning period, most companies already have organised compliancy. On the other side, a lot of businesses haven’t taken the necessary steps yet, as they have been waiting for the final push to see if the Act would even come into effect. Full enforcement will be enacted on July 1, 2021, giving those companies a countdown to become compliant.

The initial draft made in 2013 was mainly based on the EU Data Protection Directive 95/46/EC, with some changes for stricter provisions. The partial enforcement in 2014 allowed for the establishment of an Information Regulator in 2016, which has released Guidances in light of the future enforcement of the Act.

The right to privacy has been a fundamental right since 1996, and the act aims to promote the protection of personal data for any business processing personal information in South Africa. However, different from a lot of other Data protection Regulations around the world, the South African Protection of Personal Information Act also includes protection of the juristic person, such as companies, banks, trusts, etc.

One of the bigger changes in regards to South Africa’s previous handling of protection of personal data represents the obligation to notify a data breach to the authorities and, in some cases, to the data subjects. It also includes further requirements for international data transfers, as well as finally detailing data subjects’ rights.