You are correct in assuming that you will need to comply with the Protection of Personal Information Act (POPIA) if you obtain and use personal information of your clients, including also ensuring that third parties that you pass such information on to, also comply.
POPIA took effect on 01 July 2020, with other provisions coming into force on 30 June 2021. Businesses have been provided with a one-year grace period, until 01 July 2021, to become POPIA compliant or face the consequences set out in the Act. Additionally, regulations may also be published in relation to POPIA from time to time and these regulations will provide additional rules and requirements which businesses may need to comply with. POPIA compliance is therefore not a once-off thing but a process that will need to be regularly reviewed to ensure compliance.
It is important to take note of the fact that regulations may also be published in relation to POPIA from time to time. These serve to provide further arrangements, rules, processes and context in relation to the Act. Recently, the Information Regulator announced the imminent commencement of certain regulations in terms of POPIA, relating to the protection of personal information.
With effect from 1 March 2021, the provisions of the regulations in relation to the application for issuing a code of conduct became effective. This allows private or public bodies that are sufficiently representative of various entities in an industry, to apply for a code of conduct to be considered for that specific industry.
With effect from 01 May 2021, the regulations in relation to the responsibilities of information officers will take effect. This is significant for businesses, since every entity that must comply with POPIA must have an information officer – the person responsible within the business for POPIA compliance, privacy and data governance. These regulations supplement the responsibilities set out in POPIA and emphasize the obligation to develop a compliant PAIA manual, as well as internal processes and procedures to advance data subject participation and internal POPIA training.
With the deadline for attaining POPIA compliance approaching fast and potentially further regulations and requirements being imminent, it is vital that compliance be prioritized given the hefty consequences for a failure to be compliant.
It is difficult to exactly state what areas of compliance you would need to have in place, but it would be highly advisable to enlist the help of your attorney or POPIA specialist to help you and review what you have in place and what would still need to be done before the Act and regulations take full effect.