Employee Data Privacy

South Africa - Data Protection Officer

 Download as a PDF

What is, and which organizations have to appoint a DPO?

A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.

Under South Africa’s Protection of Personal Information Act, 2013 (POPIA), public and private companies should designate an Information Officer who is responsible for:

  • encouraging the employer’s compliance with the conditions for the lawful processing of personal information requests;
  • working with the Information Regulator in relation to data privacy investigations; and,
  • ensuring the company complies with the Protection of Personal Information Act (2013) and related requirements. 

Employers should also make provisions for the designation of deputy information officers, if necessary, to perform the information officer duties and responsibilities. In addition, under the POPIA Regulations, Information Officers must:

  • ensure that a data privacy compliance framework and manual is developed, implemented, monitored and maintained;
  • ensure that a personal information impact assessment is completed so that appropriate measures and standards are taken to comply with personal information processing requirements;
  • develop measures to process requests for information access;
  • conduct internal awareness sessions; and,
  • provide copies of the compliance manual upon request.

Information Officers must be registered with the South African Regulator before taking up any official data protection responsibilities. The Information Regulator issued a Guidance Note on Information Officer and Deputy Information Officers dated 1 April 2021. This contains details on who should be registered as an information officer, an information officer’s duties, designating a deputy information officer, training, and the procedure to register information officers. The Guidance Note also includes relevant required documents, and can be accessed at https://inforegulator.org.za/information-officers/.

UKG's HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where UKG's customers have employees. HR Compliance Assist is a service exclusively available to UKG customers.

Share Your Feedback

Let's Talk