POPI Act Update – Other sections of POPI Act proclaimed

POPI Act Update – Other sections of POPI Act proclaimed

POPI Act Update – Other sections of POPI Act proclaimed

South Africa’s Protection of Personal Information Act 4 of 2013 (POPI Act) is implemented in various phases and the provisions dealing with the appointment and powers of the Information Regulator were already implemented two years ago. 

The remaining provisions were supposed to take effect in 1 April 2020 but full implementation has been delayed due to the coronavirus outbreak in the country. 



Although it has been consistently said that the POPI Act will not become effective until the Regulator is fully operational, the President proclaimed 1 July 2020 as the commencement date of the remaining sections of the Act that have not yet been implemented. 

Businesses in South Africa need to comply fully with the POPI Act as the Information Regulator will start enforcing compliance one year after the commencement date. In a previous blog article, ‘Update- Effective date for the POPI Act’ we discussed the sections of the Act that are already being implemented. The purpose of this blog is to highlight the sections of the Act that will take effect on 1 July 2020.

Which sections of the POPI Act will become effective as of 1 July 2020?

The following are essential parts of the Act that will come into effect on 1 July 2020:

  • Sections 2 to 38
    • The Purpose of the Act;
    • Application and Interpretation of the Act;
    • Lawful processing of personal information;
    • Rights of data subjects;
    • Exclusions;
    • The conditions for the lawful processing of personal information;
    • Exemptions from conditions for processing of personal information.
  • Sections 55 to 109, 111 and 114(1)(2)(3)
    • Duties and responsibilities of the Information Officer;
    • Prior authorisation;
    • Codes of conduct;
    • Rights of data subjects regarding direct marketing;
    • Transborder information flows;
    • Enforcement;
    • Offences, penalties and administrative fines;
    • Fees;
    • Transitional arrangements.

The implementation of the above sections of the Act means that the full spectrum of compliance and enforcement provisions is now in operation and all businesses and persons being in possession of another person or entities’ personal information, must become compliant.

What is the aim of the POPI Act?

  • The POPI Act will ensure that all businesses are held accountable for the collection, processing, storage and sharing of personal information.
  • Entities that process personal information must therefore ensure that they do so in a lawful manner. New company policies will be required for information processing, storage and deletion to ensure that such information is safeguarded and the risk of data breaches and theft of personal information is minimised. Section 19 of the Act places an obligation on businesses to take “appropriate, reasonable, technical and organisational measures” to prevent the loss and unlawful processing of personal information.
  • The Act aims to promote the protection of personal information processed by public and private bodies and seeks to balance the right to privacy with other rights, such as access to information. 


Full implementation of POPI is an onerous process and involves onsite audits, assessments, amendment of agreements with certain suppliers and training of staff. Businesses should therefore start adhering to the compliance requirements as soon as possible to ensure proper implementation. A previously published article, ‘Gearing up to meet POPI regulations’ will help with the first few steps that are crucial for organisations to start complying, raise awareness and begin planning.

SERR Synergy assists businesses in compiling Data and Information Protection Reports. Our professional legal team ensures that physical information and cybersecurity risks of organisations are identified and managed to maintain the confidentiality, integrity and availability of data. We provide organisations with various policies to ensure compliance in such a way that it adds business value to our clients and allows for improvement in efficiencies and effectiveness.

About the Author: Retha van Zyl completed her BCom Hons (Economics and Risk Management) studies at the North West University. She joined our team in January 2016 and currently holds the title ‘Information Compliance Advisor’. She specialises in POPI and PAIA compliance, which includes compiling and submitting PAIA Manuals to the Human Rights Commission. She also compiles the Data and Information Protection Report to identify risks associated with information security and drafts Information Security policies for procedural compliance in each department within an organisation.







You May Also Like

POPI Act and Direct Marketing - Opting in and Opting out
April 01, 2022
The Protection of Personal Information Act 4 of 2013 (POPIA) defines direct marketing as approaching a data subject (which could be either an organisation or an individual) in person, per electronic communication or by mail, for the purpose of promoting or advertising goods or services to the data subject or asking them to donate.
Practical steps to comply with the POPI Act
October 29, 2020
South Africa’s Personal Information Act 4 of 2013 (POPI Act) commenced on 1 July 2020, giving businesses 1 year to comply.
The importance of obtaining consent in terms of the POPI Act
July 24, 2019
Compliance with the Protection of Personal Information (POPI) Act will become increasingly important for all organisations. As the Information Regulator develops the POPI regulations further, the requirements will become clearer.
Online Resource & News Portal