more info

Who & What does the POPI Act Apply to?

In short it the POPIA Act Applies to Everyone!

The Act applies to any person or organisation who keeps any type of records relating to the personal information of anyone. It therefore sets the minimum standards for the protection of personal information.

In other words your business itself, its processes, systems and website needs to comply. Even at the basic level, your website is gathering information via web cookies.

The POPIA Act Applies to Everyone

The Act applies to any person or organisation who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently.

It therefore sets the minimum standards for the protection of personal information. It regulates the “processing” of personal information. “Processing” includes collecting, receiving, recording, organizing, retrieving, or using such information; or disseminating, distributing or making such personal information available. 

The Act will also relate to records which are already in the possession of the entity or person doing the processing.  

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013

The Protection of Personal Information Act (POPIA) applies to websites, companies, organizations and other legal entities who are located inside South Africa and who process personal information. However, POPIA also applies to responsible parties who are located outside South Africa, if they process personal information inside the country (not only transferring it through it).

What POPIA means for business

The POPI Act ensures that the right to privacy is taken seriously and includes a data subject’s right to be protected against any unlawful collection, retention, dissemination and use of their personal information.

Companies are required to receive consent from individuals before they can obtain, retain and process personal information for communication or any other purpose. As per “Conditions for lawful processing” the definition of “Personal Information” includes contact details, demographic information, personal history, as well as communication records.

The POPI Act highlights the need for a greater understanding of the manner in which personal information is stored and processed.  This means that the systems, processes and how logical and physical access is maintained and managed for the systems and areas housing personal information al need to be considered.

Protection of Personal Information requires extra vigilance in all aspects of physical and information security.  The basis of the POPI Act is to protect personal information and prevent information from being exposed to unauthorised persons.  As a result, this implies an obligation to protect information relating to individuals and juristic entities from any damage, including financial fraud, identity theft, misuse and the abuse of personal information.

The POPI Act requires that a set of streamlined processes and systems must be established that can easily identify where personal information is stored, understand how this information is processed physically and electronically, who has access to this information, as well as for what purpose it is required.

ompliance to the Protection of Personal Information Act (POPIA), also known as the POPI Act, will be mandatory for most organisations in South Africa.  As the Information Regulator develops the POPI Regulations further, so the dates and requirments will become clearer.  See the latest status from the Information Regulator.  This doesn’t mean that organisations should wait until then.  The European Union has developed the General Data Protection Regulations (GDPR) and are in the process of implementation.  The Information Regulator is likely to follow similar principles and regulations. Until the POPI Act and Regulations are fully in place, following the GDPR will get you moving in the right direction.

Whilst the focus of the POPI Act is on compliance, our approach is to implement compliance in such a way that it delivers business value, so that it doesn’t become a cost centre, or overhead, but rather allows for improvements in efficiencies and effectiveness, done in such a way as to meet the compliance requirements.

The site contains useful guidance and implementation tools to equip you to be POPI Act compliant.  It will evolve over time as the Regulations are published.  

The information published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is up to date and accurate. Please consult with a lawyer for legal advice. During our implementation we can engage with privacy lawyers on your behalf. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages.

Direct Marketing

Slightly different rules apply if the subject is a customer.  Here the customer’s contact details must have been obtained in the context of the sale of a product or a service, the direct marketing by electronic communication can only relate to the suppliers own similar products or services, and the customer must have been given the right to opt out at the time that the information was collected and each time such a communication is sent.

The Act covers Direct Marketing restrictions in great  detail and should be consulted before any direct marketing campaign is considered.

There are 8 to 10 things to consider with getting the POPIA Compliancy in place.

Almost all organisations are faced with the challenge of achieving and maintaining compliance with the Protection of Personal Information Act No. 4 of 2013 (POPI Act). This handy checklist provides a proven step-by-step forty-action-point approach to compliance.

1. Formalise your POPI Act compliance project

  1. Identify your relevant stakeholders
  2. Identify your project sponsor
  3. Identify your project manager
  4. Set high level scope, timescale, budget

2. Appoint an Information Officer

  1. Ensure alignment between your Promotion of Access to Information Act (PAIA) and POPI Information Officer (IO)
  2. Decide whether the CEO can fulfill the IO function or needs a Deputy/Deputies (DIO)
  3. Agree IO/DIO  roles and responsibilities
  4. Complete the formal appointment process

3. Perform a gap analysis versus the POPI Act

  1. Set interim and final targets for compliance with the POPI Act. This does not mean slavishly shooting for 100% regardless of costs and benefits!
  2. Engage with stakeholders in the assessment
  3. Use an evidence-based approach
  4. Use the assessments for ongoing compliance monitoring

4. Analyse what and how Personal Information is processed

  1. Use a broad definition of record types as per the POPI Act (e.g. CCTV, biometric)
  2. Look at various aspects as required by the POPI Act (including consent, purpose, source, sharing, destruction)
  3. Consider user rights and their management
  4. Think broadly in terms of the types of devices where data is stored – and represents a security compromise risk

5. Implement POPI Act compliance policies

  1. Review existing relevant policies
  2. Ensure your policies are reasonable and appropriate
  3. Make sure your policies are enforceable
  4. Design your Privacy Notices for diverse stakeholder groups

6. Review your web sites

  1. Run the POPIA Website Assessment Tool
  2. Get a quote to get your website POPIA ready.
  3. Implement POPIA compliancy strategy & tools on your website.
  4. Use the opportunity to implement “best practice” such as Cookie notifications
  5. Develop and implement your remediation plan

7. Update / create your PAIA manual

  1. Confirm your organisation needs a Promotion of Access to Information Act (PAIA) manual and by when
  2. Confirm whether you are a Public or Private Body as per the PAIA
  3. Review the proposed contents of your manual
  4. Ensure your PAIA manual follows the prescribed layout and includes the necessary details

8. Implement POPI compliant PI management processes

  1. Look at the PI lifecycle: including acquisition, processing, retention, and destruction practices
  2. Develop reasonable and appropriate measures to ensure ongoing compliance
  3. These could include self-assessments, health-checks, formal audits
  4. Develop your dashboard for compliance

9. Train stakeholders about their roles in POPI Act compliance

  1. Design training according to their needs
  2. Ensure you treat user education not as a once-off series of activities but part of an ongoing commitment
  3. Leverage diverse training methods, including self-study, online, classroom, audio and video
  4. Look to special needs such as the IO/DIO roles

10. Make POPI Act compliance  “Business-As-Usual”

  1. Recognise that POPI Act compliance will be the “new normal” and work that way
  2. Build compliance into your products, services and processes – adopt “Privacy By Design”
  3. Ensure ongoing monitoring of the data protection / POPI ecosystem – legislation, regulations, opportunities and threats
  4. Build POPI into your everyday operations – make POPI “Business-As-Usual”


The Information Regulator

Protection of Personal Information Act, 2013  The POPIA Act

 Protection of Personal Information Act, 2013 – Draft regiulations for comment  POPIA Regulations

The Promotion of Access to Information Act, 2000 PAIA

The Promotion of Access to Information Amendment Act, 2002 The PAIA Amendment Act

Let’s Get Started

Ready To Comply? Let's help you now!