An overview of the POPI Act and the impact it has on businesses.

The Protection of Personal Information (POPI) Act has been signed into law by the President and published in the Government Gazette Notice 37067 in November 2013. The Protection of Personal Information (POPI) Act, No 4 of 2013, promotes the protection of personal information by all public and private entities. The POPI Act serves various purposes, namely:

  • Regulating how personal information may be process by means of establishing conditions that meet international standards for the lawful processing of personal information.
  • Ensuring the constitutional right to privacy by protecting personal information.
  • Establishing voluntary and compulsory measures, including Information Regulator.

To whom does POPI apply to?

  • Any public or private body or any other person which, unaided or in combination with others, regulates the purpose of and means for processing personal information (Responsible Party). The "Responsible Party" of every company is accountable for ensuring and enforcing its own compliance.
  • Any person who processes personal information for a Responsible Party in terms of a mandate or agreement, without coming under the direct authority of the Responsible Party.

It’s really about taking special care of the personal information that is entrusted to you by your customers and clients. If you act recklessly with this information, you not only face regulatory sanctions, but you also run an actual risk of damaging client relationships and overall business reputation. Non-compliance may have far reaching consequences and could expose the Responsible Party to a penalty or fine of R10 million and/or imprisonment of 12 months up to 10 years.

What personal information does POPI apply to?

Most businesses in South Africa will be impacted by the POPI Act in one or more ways. The personal information that the POPI Act protects is that of an identifiable person, including information relating to:

  • Gender, race, marital status, nationality, sex, mental health, religion, belief, language, etc.
  • Education or financial, criminal, medical and employment history.
  • Biometrics, including physical, behaviour or physiological characterisations (DNA analysis, retinal scanning, blood type, etc.)
  • Email address, telephone number, location information, online identifier, etc.
  • Correspondence of a private nature.
  • Opinions or views that another person has relating to the person.
  • The person’s name, if disclosure of the name would lead to the reveal of information about the person.

Personal information does not refer to information that is already in the public domain or is not used or intended to be used for the purpose of trade or commerce.

What are the information processing conditions?

The POPI Act includes eight information processing principles or conditions, namely: accountability, data subject participation, and further processing limitation, information quality, openness, processing limitation, purpose specification and security safeguards. These conditions ensure improved data quality and business management.

When does the POPI Act come into effect?

Once the Act is made effective, companies will be given a year’s grace period to comply with the Act. The Act was partially enacted in 11 April 2014. We are awaiting the commencement date of the other sections of the Act whereby the Information Regulator will start enforcing POPI one year after this commencement date. Indications are that the POPI Act might be fully implemented from the end of May 2017. Realistically, South African businesses should already have started their POPI implementation processes, in order to ensure compliance.

Who is the Information Regulator?

The Information Regulator is an independent juristic body that has been appointed in 2016 in terms of POPI. The Information Regulator is, among others, responsible for educating the public about POPI, handling of complaints, enforcing and monitoring of compliance etc. SERR Synergy assist businesses and organisations to fully comply with procedures as required by POPI by setting up a comprehensive Information Security Management System (ISMS).

You May Also Like

The POPI Act and handling of medical information
September 28, 2017
With personal information becoming more accessible and easier to manipulate, POPI legislation is imperative for the protection of businesses and individuals.
What are the grounds for refusing Access to Information?
September 16, 2019
The Promotion of Access to Information Act (PAIA) was promulgated in 2000 and is intended to give effect to the Constitution, granting any person or Juristic person the right to have access to information.
POPI Act Update – Other sections of POPI Act proclaimed
June 26, 2020
South Africa’s Personal Information Act 4 of 2013 (POPI Act) is implemented in various phases and the provisions dealing with the appointment and powers of the Information Regulator were already implemented two years ago. 
Online Resource & News Portal