Data Protection, Information Governance and POPIA

​​​​​​​​​​​Data protection and information governance is a growing area of law and regulation and, consequently, an increasing risk area. There are data protection laws in over 90 countries around the world, with the Protection of Personal Information Act (POPIA) fully in force in South Africa from 1 July 2020.

POPIA’s reach is wide – it regulates all organisations who process personal information - information about employees, customers, suppliers and those who outsource key processing activities, share data offshore, or engage in direct marketing. There is a 12-month grace period by which to comply with the comprehensive requirements set out in POPIA. Non-compliance can result in significant penalties - up to 10  years' imprisonment and/or ZAR 10 million in administrative fines.  We have produced a ​​POPIA infographic​ which sets out an overview of the instances in which POPIA will apply to processing activities and the obligations which come with POPIA.

We offer clients a cradle-to-the-grave service to ensure they are POPIA ready. Our service includes POPIA audits, gap analysis, insurance, training, data protection impact assessments, crisis planning for data breaches, and expert advice in engaging the Information Regulator and managing litigation.

Our data protection and information governance service offering also​ includes:

  • advising on compliance and conducting legal compliance assessments with applicable privacy and data protection laws to identify and remedy areas of non-compliance;
  • reviewing, amending and drafting the full range of agreements, policies and documentation regulating the use, processing and disclosure of information (including privacy policies, workplace policies, document rete​ntion and destruction policies, and non-disclosure and confid​entiality agreements);
  • designing and implementing training programmes on responsibility and compliance with data protection and privacy laws;
  • advising on cross-border transfers of data;
  • ensuring that privacy by design forms part of the development of new applications, products and services;
  • ​advising on how to manage personal information when merging or acquiring another entity, including obtaining permissions, combining different privacy practices and privacy cultures, and transferring customer files or employee records;
  • advising on engagements with key stakeholders, including regulators; and
  • drafting and implementing reputation and crisis management policies and procedures, to help manage and mitigate consequences of data breaches and unauthorised disclosures.