PoPi now has a regulator with teeth
HOW: APPOINT INFORMATION OFFICER TO MANAGE COMPLIANCE, ACT SUGGESTS
Existing employee can be assigned the task.
Law is necessary in a country for structure and order, but it is not uncommon for people to break the law if there are no repercussions imposed for contravening it. To that effect, an information regulator has been set up to be the teeth behind the Protection of Personal Information (PoPi) Act.
Because there is an assumption in some circles that the act is a soft piece of legislation that has little use other than to burden organisations with costly compliance overhauls, government wisely chose not to leave adherence to it to our sense of duty and respect for one another.
Essentially, the information regulator is an independent body established for the sole purpose of monitoring and enforcing compliance by public and private bodies. It is under the jurisdiction of the justice department, which monitors and enforces the act on public bodies as well.
The regulator is governed by a group of legal experts referred to as “members”, of whom some are full time and others part time, depending on their roles.
The regulator’s responsibilities are to provide general information on the act, such as on its website, justice.gov.za/inforeg; provide free training to entities as per an organisation’s request; develop codes of conduct and monitor, receive complaints, investigate and decide on a course of action, including taking the matter up with judicial courts.
But the question on everyone’s mind is, does the regulator have teeth and how exactly will it monitor and enforce the act?
Well, the act speaks of hefty fines and imprisonment for those who contravene it. But again, how will it be known when there is non-compliance?
Will the regulator conduct door-to-door inspections to assess each organisation’s compliance? Probably not as that would be an extremely costly exercise. Will the act rely on whistleblowers? Or will the regulator rely on the information officer?
The act suggests that organisations appoint an information officer charged with the responsibility of managing compliance to PoPI.
Furthermore, this individual will liaise between the regulator and the organisation, a system that would allow the regulator not to have to perform door-to-door checks, but put the onus of compliance on a designated figure in the organisation.
This does not mean companies have to create a new position as an existing employee can be assigned the task of managing PoPI and liaising with the regulator.
Munya Duvera is CEO of Duvera Elgroup