Regulations bring clarity

2019-03-27 06:01
Nanette Janse van Rensburg

Nanette Janse van Rensburg

Multimedia   ·   User Galleries   ·   News in Pictures Send us your pictures  ·  Send us your stories


I am the compliance officer for our business, and have been tasked with the responsibility for Popia. I recently saw a media report on regulations being promulgated. Is there anything of importance that I need to take note of for our business?


  • You are correct that new regulations to the Protection of Personal Information Act (Popia) have been published in December. However, these regulations will only come into effect on a date to be determined by the Information Regulator.

The regulations essentially address a number of procedural aspects under Popia, of which a few are especially important to take note of for your business once they come into effect.

The regulations contain a number of prescribed forms which, amongst others, regulate how a data subject can object to the processing of their personal information and how a data subject can request a correction, destruction or deletion of personal information.

Also of importance for businesses that engage in direct marketing, is Regulation 6. This provides that a responsible party who wishes to process personal information of a data subject for the purpose of direct marketing by electronic communication must, in terms of section 69(2) of the Act, submit a request for written consent to that data subject on Form 4 to the regulations.

This Form 4 essentially requires that the responsible party must identify themselves and their contact details, identify the data subject, afford the data subject the option to consent to receiving direct marketing in respect of good or services by way of a specified method of electronic communication (fax, email, SMS) and have the consent signed.

Fortunately, “form” is defined as “a form referred to in the annexures to these regulations or any form which is substantially similar to that form”.

Therefore, it means that the responsible party could use other means of obtaining the consent as long as it contains the elements prescribed in Form 4 and a record thereof exits.

In our view, this would be able to include an “I accept” button or link in an email or on a website or app, or even a voice recording of a data subject agreeing telephonically to the direct marketing, as “signature” includes an “electronic signature” which is defined as data attached to, incorporated in, or logically associated with other data and which is intended by the user to serve as a signature.

The regulations also provide more clarity on the responsibilities of an information officer such as yourself tasked with responsibility for POPIA at an organisation. Regulation 4 sets out a number of responsibilities for the information officer, in addition to that prescribed by Popia, which include:

  • developing, implementing and monitoring a compliance framework for the protection of personal information;
  • ensuring that a personal information impact assessment is done to ensure that adequate measures and standards exist;
  • developing, monitoring, maintaining and making available a manual, as prescribed by the Promotion of Access to Information Act, 2 of 2000;
  • developing internal measures and systems to process requests for access to information; and
  • ensuring that internal awareness training sessions are conducted.

Although these regulations are not yet in force, they provide a view on some specific compliance aspects that must be considered by your business. Our recommendation is to look at updating your compliance procedures to prepare for these regulations or obtain the assistance of a specialist to help you do so.

– Nanette Janse van Rensburg, senior associate, Phatshoane Henney Attorneys


Inside News24

Lockdown For
Traffic Alerts
There are new stories on the homepage. Click here to see them.


Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.

Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire network.