POPI Act Compliance

Failure to comply with the requirements of the POPI Act could have dire consequences. Although one cannot and shouldn't shy away from the legal aspects of the Act, POPIA should be seen as an opportunity to identify, clean-up and manage information better, and in doing so, improve business processes.  Don't fall into the trap of implementing POPIA just to meet your compliance requirements.

Steps to take Immediately

Download the Act and draft regulations and become familiar with them.

Review all the pages on this website and keep in touch as this will be updated frequently.

Add yourself to our "keep-up-to-date with POPIA" mailing list. In keeping with the spirit of POPIA, we promise not to spam you or abuse your information. 

Appoint an Information Officer and ensure that he is aware of his roles and responsibilities.

Make decision makers and key personnel in your organization aware that the law has changed in accordance with the POPI Act and the severe consequences of non-compliance.

Conduct a current status risk assessment / information audit to establish data protection compliance level.

Document what Personal Information you currently hold, where it comes from, how it is to be used and who you share it with.

Produce a POPI Act policies and procedures manual and ensure that everyone who deals with Personal Information is aware of the legal implications of this Act. This manual is to include your organizations privacy policy with regard to:

  • Data collection (type of data, purpose, consent, legal aspects, minimality, and transparency) Data access and accuracy (correct, complete, reliable and process of updating information)
  • Data usage and restrictions (purpose, relevance, restrictions, legality, permission, limitations)
  • Data storage (physical, off-site, electronic, back-up, cloud storage)
  • Data security safeguards (physical, electronic, network, password control, disaster recovery. Disclosure (legality, consent, data subject awareness, data request handling)
  • Responsibilities (All directors, top management, Information Officer, personnel dealing with Personal Information, vendors, contractors, suppliers)
  • Complaints (process, handling, legalities, transparency)
  • Retention (retention schedule) Destruction (destruction schedule) Implement staff awareness training (all current staff, new appointees and regular refresher training).

Put procedures in place to monitor and enforce compliance.