POPI Act Update – Other sections of POPI Act proclaimed

POPI Act Update – Other sections of POPI Act proclaimed

POPI Act Update – Other sections of POPI Act proclaimed

South Africa’s Protection of Personal Information Act 4 of 2013 (POPI Act) is implemented in various phases and the provisions dealing with the appointment and powers of the Information Regulator were already implemented two years ago. 

The remaining provisions were supposed to take effect in 1 April 2020 but full implementation has been delayed due to the coronavirus outbreak in the country. 



Although it has been consistently said that the POPI Act will not become effective until the Regulator is fully operational, the President proclaimed 1 July 2020 as the commencement date of the remaining sections of the Act that have not yet been implemented. 

Businesses in South Africa need to comply fully with the POPI Act as the Information Regulator will start enforcing compliance one year after the commencement date. In a previous blog article, ‘Update- Effective date for the POPI Act’ we discussed the sections of the Act that are already being implemented. The purpose of this blog is to highlight the sections of the Act that will take effect on 1 July 2020.

Which sections of the POPI Act will become effective as of 1 July 2020?

The following are essential parts of the Act that will come into effect on 1 July 2020:

  • Sections 2 to 38
    • The Purpose of the Act;
    • Application and Interpretation of the Act;
    • Lawful processing of personal information;
    • Rights of data subjects;
    • Exclusions;
    • The conditions for the lawful processing of personal information;
    • Exemptions from conditions for processing of personal information.
  • Sections 55 to 109, 111 and 114(1)(2)(3)
    • Duties and responsibilities of the Information Officer;
    • Prior authorisation;
    • Codes of conduct;
    • Rights of data subjects regarding direct marketing;
    • Transborder information flows;
    • Enforcement;
    • Offences, penalties and administrative fines;
    • Fees;
    • Transitional arrangements.

The implementation of the above sections of the Act means that the full spectrum of compliance and enforcement provisions is now in operation and all businesses and persons being in possession of another person or entities’ personal information, must become compliant.

What is the aim of the POPI Act?

  • The POPI Act will ensure that all businesses are held accountable for the collection, processing, storage and sharing of personal information.
  • Entities that process personal information must therefore ensure that they do so in a lawful manner. New company policies will be required for information processing, storage and deletion to ensure that such information is safeguarded and the risk of data breaches and theft of personal information is minimised. Section 19 of the Act places an obligation on businesses to take “appropriate, reasonable, technical and organisational measures” to prevent the loss and unlawful processing of personal information.
  • The Act aims to promote the protection of personal information processed by public and private bodies and seeks to balance the right to privacy with other rights, such as access to information. 


Full implementation of POPI is an onerous process and involves onsite audits, assessments, amendment of agreements with certain suppliers and training of staff. Businesses should therefore start adhering to the compliance requirements as soon as possible to ensure proper implementation. A previously published article, ‘Gearing up to meet POPI regulations’ will help with the first few steps that are crucial for organisations to start complying, raise awareness and begin planning.

SERR Synergy assists businesses in compiling Data and Information Protection Reports. Our professional legal team ensures that physical information and cybersecurity risks of organisations are identified and managed to maintain the confidentiality, integrity and availability of data. We provide organisations with various policies to ensure compliance in such a way that it adds business value to our clients and allows for improvement in efficiencies and effectiveness.

About the Author: Retha van Zyl completed her BCom Hons (Economics and Risk Management) studies at the North West University. She joined our team in January 2016 and currently holds the title ‘Information Compliance Advisor’. She specialises in POPI and PAIA compliance, which includes compiling and submitting PAIA Manuals to the Human Rights Commission. She also compiles the Data and Information Protection Report to identify risks associated with information security and drafts Information Security policies for procedural compliance in each department within an organisation.







You May Also Like

March 13, 2020
Businesses operating in South Africa are presently awaiting the implementation date of the Protection of Personal Information Act 4 of 2013 (POPI Act).
Employer-Employee Loans and the National Credit Act
July 10, 2017
What is the effect of Employer-Employee Loans as per the new National Credit Act (NCA) threshold?
What are the responsibilities of a company processing personal information towards individuals and other companies using this information?
December 03, 2020
At a time where businesses participate in an integrated society, it is normal to draw in as many outsiders/ third parties as possible to reap the benefits of everyone’s expertise and, ultimately, to deliver the best, most specialised and thought-through end products for consumers.
Online Resource & News Portal