News / E-Bulletin

Long road to data protection

Dec 18,2018

Ahmore Burger-Smidt - Head of Regulatory

On 14 December 2018, the Regulations relating to the Protection of Personal Information were finally published by the Information Regulator (“Regulator“) under section 112(2) of the Protection of Personal Information Act, Act 4 of 2013. These Regulations shall commence on a date to be determined by the Regulator by Proclamation in the Government Gazette.


The Regulations provide for various forms to be completed when a data subject wants to:

  • object to the processing of their personal information;
  • request the correction, deletion or destruction of their personal information; and
  • lodge a complaint with the Regulator.

More importantly and for immediate action, companies must take note of and implement, the additional responsibilities of the Information Officer to ensure that:

“(a) a compliance framework is developed, implemented, monitored and maintained;

(b) a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;

(c) a manual is developed, monitored, maintained and made available as prescribed in sections 14 and 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);

(d) internal measures are developed together with adequate systems to process requests for information or access thereto; and

(e) internal awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.”

Furthermore, the Regulations provide for forms setting out the necessary information required in terms of which the Regulator will exercise its duties.

The publication is a clear step in the direction of the Regulator commencing official duties early in 2019.

As a country, we are soon to embark on an interesting road where the privacy of individuals and specifically data privacy will have to be considered in detail in all business activities.