The Information Regulator published the "Regulations relating to the Protection of Personal Information" in the Government Gazette on 14th December 2018 42110, RG 10897, GoN 1383 (just when we were all going off on holiday.)

Regardless of the timing, in terms of Section 114 (1) of the Act, "All processing of personal information must within one year after the commencement of this section be made to conform to this Act".  In the absence of any further statements or notifications from the Regulator, we must assume that this means we will need to comply by the end of 2019.

I have attached a copy of the Regulations, which can also be downloaded from POPIA Regulations or from: 

The pressure is now on.  Contact me at This email address is being protected from spambots. You need JavaScript enabled to view it. to see how we can assist you in fast-tracking your POPIA compliance.

Protection of Personal Information (POPI) isn't new in South Africa.  The Protection of Personal Information Bill was around in 2009, which meant that the discussion had been going on for years before that.  We became used to talking about POPI, and the Information Regulator is now prefering to use the term POPIA, or POPI Act. 

Is there a difference?

Much of the Personal Information that is kept will be in the form of data in databases or systems, and the rest will be in form of documents or records.  Managing these correctly is imperative under POPIA.  This article will build on the records management elements that will need to be implemented in order to fully comply with the Protection of Personal Information Act.

Sections 100 – 106 of the POPI Act deal with instances where parties would find themselves “guilty of an offense”. The most relevant of these are:

  • Any person who hinders, obstructs or unlawfully influences the Regulator;
  • A responsible party which fails to comply with an enforcement notice;
  • Offences by witnesses, for example, lying under oath or failing to attend hearings;
  • Unlawful Acts by responsible party in connection with account numbers;
  • Unlawful Acts by third parties in connection with account number.

Section 107 of the Act details which penalties apply to respective offenses.

If someone is alleged to be in breach of the POPI Act, a complaint may be submitted to the Information Regulator.

This complaint will be dealt with by an adjudicator.If a person is not happy with the determination of the adjudicator, they can still approach the Information Regulator for another ruling.

Disputes and breaches are covered in great detail in the Act and the Act should be consulted before drawing up Policies and Procedures to handle such matters.

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013


Page 1 of 3