This morning (22nd June 2020) the Presidency announced dates for compliance to POPIA.  The dates are as follows:

Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3) shall commence on 1 July 2020.
Sections 110 and 114(4) shall commence on 30 June 2021.

What does this mean:

Applicable immediately: 1 July 2020:

Sections 2 to 38; sections 55 to 109; section 111; and section 114 (1), (2) and (3).
The sections which will commence on 1 July 2020 are essential parts of the Act and comprise sections which pertain to, amongst others, the conditions for the lawful processing of personal information; the regulation of the processing of special personal information; Codes of Conduct issued by the Information Regulator; procedures for dealing with complaints; provisions regulating direct marketing by means of unsolicited electronic communication, and general enforcement of the Act.

This is the main body of the Act, and although Section 114 (1) (see below) gives a year, in principle, the time to act is now, and all organisations need to become compliant as soon as possible.

Applicable from 30 June 2021

Sections 110 and 114(4) shall commence on 30 June 2021.
Section 114(1) is of particular importance as it states that all forms of processing of personal information must, within one year after the commencement of the section, be made to conform to the Act. This means that entities (both in the form of private and public bodies) will have to ensure compliance with the Act by 1 July 2021.  However, it stands to reason that private and public bodies should attempt to comply with the provisions of the Act as soon as possible in order to give effect to the rights of individuals.

The full press release can be viewed at: 

The Information Regulator published the "Regulations relating to the Protection of Personal Information" in the Government Gazette on 14th December 2018 42110, RG 10897, GoN 1383 (just when we were all going off on holiday.)

Regardless of the timing, in terms of Section 114 (1) of the Act, "All processing of personal information must within one year after the commencement of this section be made to conform to this Act".  In the absence of any further statements or notifications from the Regulator, we must assume that this means we will need to comply by the end of 2019.

I have attached a copy of the Regulations, which can also be downloaded from POPIA Regulations or from: 

The pressure is now on.  Contact me at This email address is being protected from spambots. You need JavaScript enabled to view it. to see how we can assist you in fast-tracking your POPIA compliance.

Protection of Personal Information (POPI) isn't new in South Africa.  The Protection of Personal Information Bill was around in 2009, which meant that the discussion had been going on for years before that.  We became used to talking about POPI, and the Information Regulator is now prefering to use the term POPIA, or POPI Act. 

Is there a difference?

The draft regulations to the Protection of Personal Infomation Act (POPIA) have been published for public comment.  Deadline for comments is 07 Nov 2017.  Links to the Government Gazette notification with the draft regulations are below:

GG 41105, GoN 709, 08 Sep 2017 - Protection of Personal Information Act, 2013 (Act. 4 of 2013): Invitation to comment on Draft Regulations relating to the Protection of Personal Information

Much of the Personal Information that is kept will be in the form of data in databases or systems, and the rest will be in form of documents or records.  Managing these correctly is imperative under POPIA.  This article will build on the records management elements that will need to be implemented in order to fully comply with the Protection of Personal Information Act.

The POPI Act is a new all-inclusive piece of legislation that safeguards the integrity and sensitivity of private information. Companies are required to carefully manage the data capture and storage process of Personal Information within the lawful framework as set out in the Act.

Sections 100 – 106 of the POPI Act deal with instances where parties would find themselves “guilty of an offense”. The most relevant of these are:

  • Any person who hinders, obstructs or unlawfully influences the Regulator;
  • A responsible party which fails to comply with an enforcement notice;
  • Offences by witnesses, for example, lying under oath or failing to attend hearings;
  • Unlawful Acts by responsible party in connection with account numbers;
  • Unlawful Acts by third parties in connection with account number.

Section 107 of the Act details which penalties apply to respective offenses.