With the deadline for the implementation of the Protection of Personal Information Act, 2013 (“POPIA”) fast approaching, organisations in South Africa will need to be compliant by 1 July 2021.

To assist with achieving compliance with POPIA, chapter 7 of POPIA provides a framework for developing and publishing codes of conduct under POPIA. The Information Regulator has recently published the  Guidelines to Develop Codes of Conduct (the “Guidelines”). The Guidelines provide criteria for publishing and developing codes of conduct in different sectors that enhance compliance with POPIA.

What is a code of conduct and who does it apply to?

Codes of conduct are voluntary, sector-specific guidelines developed to:

  1. help identify and address data protection issues relevant to sector members;
  2. foster accountability and transparency amongst sector bodies; and
  3. help sectors to comply with POPIA.

Codes of conduct can be developed for any public or private body or sector that processes personal information. Once published, the relevant bodies, sectors and stakeholders will be bound by the code of conduct and any failure to comply is equivalent to a breach of the lawful conditions of processing under POPIA.

Who can develop a code of conduct?

Codes of conduct can be developed by the Information Regulator and relevant sector bodies, such as industry associations, voluntary associations, etc. Bodies or sectors that wish to publish a code of conduct must notify the Information Regulator of this intention, and ensure that they have enough resources to allocate towards developing and the implementing of the code of conduct.

What are the advantages of developing a code of conduct?

  • building public trust and confidence in a body or sector's ability to comply with POPIA;
  • providing clarity on how entities can comply with the lawful conditions of processing that are relevant to the body;
  • outlining the processing conditions for specific activities and certain information applicable;
  • promoting a culture of compliance of POPIA across the relevant body or sector;
  • outlining how the legitimate interests of data subjects will be protected in processing activities in specific sectors; and
  • obtaining conditional exemption from certain POPIA provisions such as those that require prior authorisation from the Information Regulator found in section 57 or the limitation of automated decision making in section 71 of POPIA.

ENSafrica is able to assist you with preparing a code of conduct sand, as well as with compliance with POPIA.

ENSafrica provides comprehensive and full-service data privacy and data-breach advice and assistance, including:

  • pre-breach services to assist with the protection of data privacy, the preparation of data-management and security policies, contracts and procedures for businesses, Information Officer training services and advice on all aspects of POPIA, including trans-border transfers of personal information; and
  • post-breach services to assist with breach-response and mitigation of liability, breach notifications and regulatory investigations, and complex litigation matters involving data-breaches and security compromise events.

We also provide comprehensive coverage advice to clients in relation to cyber insurance policies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.