Spotlight on the Protection of Personal Information Act (POPIA)

July 9th, 2020
Spotlight on the Protection of Personal Information Act (POPIA)


Photo by Freepik

Part 2 of the IT Governance and Legal Compliance for the Global Village Series

As you well know, South Africa's Protection of Personal Information Act (POPIA) came into effect on the 1st of July 2020. Once again, as with the GDPR back in 2018, organisations are amending their IT Governance policies in line with their legal compliance obligations.

Changes to internal governance policies are no easy feat, which inspired us to create this data privacy law series. Part 1 shone a spotlight on the world's leading data protection law, the General Data Protection Regulation (GDPR).

If you are doing business in South Africa or processing the personal information of her citizens, you are legally bound to the statutes of POPIA. Here's what you need to know.

POPIA - Protection of Personal Information Act

The Protection of Personal Information Act is commonly referred to as the POPI Act or POPIA. It was signed into SA parliament in 2013 and officially commenced on the 1st of July 2020. Organisations have until the 1st of July 2021 to comply.

In Short:

POPIA sets out conditions for lawful processing of personal information to protect individuals and companies (natural and juristic persons) from harm caused by fraud, theft or even discrimination.

Applies to:

'The POPI Act applies to data processors or responsible parties who are either domiciled in the Republic of South Africa or who are domiciled elsewhere but "makes use of automated or non-automated means" in South Africa.' 1

In other words, any person or business that keeps any type of records relating to the personal information of anyone unless the records are protected by a superseding, and more stringent, law.


The Act contains a unique clause: "Personal information must be collected directly from the data subject".

"Natural or juristic persons" include large corporations, non-profit entities and government. SMEs are equally accountable as all other businesses governed by the Act. However, the action required will vary from company to company depending on the business size and data security measures already in place.

This does not apply where the authority processing the information is a "public body involved in national security, defence, public safety, anti-money laundering, or the Cabinet or Executive Council of the province or as part of a judicial function." 2

The Act has specific conditions regarding processing the personal information of children.

Max Penalties:

Compensation for damages to affected data subjects’ fines or imprisonment of up to R10 million and ten years, respectively.

There are three role players in the POPI Act.

  • The data subject refers to the person whose information is being processed.
  • The responsible party (likened to controllers in similar laws) refers to the party determining the reason and procedure for processing information.
  • The operator is the party that processes the information on the responsible party's behalf (often called the processor in similar laws).

According to the Act, Personal Information is "information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person." 3

A Broad View of GDPR Compliance

The Act outlines eight conditions for lawful processing

  1. Accountability
  2. Processing Limitation
  3. Purpose Specification
  4. Further Processing Limitation
  5. Information Quality
  6. Openness
  7. Security Safeguards
  8. Data Subject Participation

Summated, the stipulations of all eight sections of the POPI Act translate to:

  • The responsible party has to ensure compliance with the Act.
  • Personal information may only be processed if it is fair and lawful to do so, and with Data Subject's consent.
    • The information must be collected directly from the Data Subject (limited exceptions apply).
  • State the reason for collecting information and only use the information for that purpose, after that the data must be destroyed.
  • Keep a record of what information you hold, its purpose and on which date it must be destroyed.
    • The process to destroy personal information must prevent its reconstruction.
  • Don't process personal information for a secondary purpose unless it is compatible with the original purpose.
    • If not, you need to gain consent from the Data Subject again.
  • Ensure that the personal information collected is complete, accurate, not misleading and updated where necessary.
    Process information in a transparent manner. Have and make available a Privacy Policy that details your data processing procedure.
  • Keep personal information secure against the risk of loss, unlawful access, interference, modification, unauthorised destruction and disclosure.
  • The operator and responsible party must provide notification of any data breaches.
  • Data subjects must be able to access their personal information; request that it is corrected or deleted; or decline to share their information.
    There's good news! If you're already GDPR compliant, you're well on your way to POPIA compliance too.

There's good news! If you're already GDPR compliant, you're well on your way to POPIA compliance too.

For a POPIA compliance gap analysis, or assistance with implementing the right measures, speak to us today, your trusted technology advisors.

Further reading:


1 Privacy Policies | South Africa's POPI Act


3 Protection of Personal Information Act (POPI Act)

TermsFeed | South Africa POPI Act