What POPIA means for business

The POPI Act ensures that the right to privacy is taken seriously and includes a data subject's right to be protected against any unlawful collection, retention, dissemination and use of their personal information.

Companies are required to receive consent from individuals before they can obtain, retain and process personal information for communication or any other purpose. As per "Conditions for lawful processing" the definition of "Personal Information" includes contact details, demographic information, personal history, as well as communication records.

The POPI Act highlights the need for a greater understanding of the manner in which personal information is stored and processed.  This means that the systems, processes and how logical and physical access is maintained and managed for the systems and areas housing personal information al need to be considered.

Protection of Personal Information requires extra vigilance in all aspects of physical and information security.  The basis of the POPI Act is to protect personal information and prevent information from being exposed to unauthorised persons.  As a result, this implies an obligation to protect information relating to individuals and juristic entities from any damage, including financial fraud, identity theft, misuse and the abuse of personal information.

The POPI Act requires that a set of streamlined processes and systems must be established that can easily identify where personal information is stored, understand how this information is processed physically and electronically, who has access to this information, as well as for what purpose it is required.

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013


“data subject” – a person to whom personal information relates.

“direct marketing” –  sending a data subject an electronic communication about goods and services that you are promoting or offering to supply in the ordinary course of business, or requesting a donation of any kind for any reason.

“processing” – any operation or activity concerning personal information.

“record” – any recorded information, regardless of when it came into existence.

“responsible party” – a public or private body or any other person which determines the purpose of and means for processing personal information.

For a full list of definitions, please refer to the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013

Relationship with other Acts

 The POPI Act (POPIA) is just one of many Acts that govern South African law.  When looking at the requirements of the POPI Act, the requirements of other Acts should also be taken into consideration.

The Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PIAI) hold a special relationship.  Both can be seen as "information" laws, and are each on one end of a continuum.  On the one end, PAIA is an "Access" law, all about Freedom of Information.  POPIA on the other end, is about Priivacy - prevention of exposure of information.  They shouldn't be seen as competing, both rather, both are there to help ensure that information is managed correctly.

Below are some of the other Acts that may impact the POPI Act compliance process.

  • Basic Conditions of Employment Act 75 of 1997
  • Broad-Based Black Economic Empowerment Act 53 of 2003
  • Close Corporations Act 69 of 1984
  • Companies Act 71 of 2008
  • Compensation for Occupational Injuries and Diseases Act 130 of 1993
  • Consumer Protection Act, No 68 of 2008 
  • Copyright Act 98 of 1978
  • Electronic Communication and Transactions Act 25 of 2002
  • Income Tax Act 58 of 1962
  • Intellectual Property Rights from Publicly Financed Research and Development Act 51 of 2008
  • International Standard for Records Management (ISO15489)
  • Labour Relations Act 66/1995
  • National Archives and Records Service of South Africa  Act 43 of 1996
  • National Credit Act 34 of 2005
  • Promotion of Access to Information Act 2 of 2000 (PAIA)
  • Promotion of Administrative Justice Act 3 of 2000 (PAJA)
  • Protection of Personal Information Act 4 of 2013 (POPI)
  • South African National Standard for Records Management (SANS 15489)
  • The Constitution of the Republic of South Africa 1996
  • Value Added Tax Act 89 of 1991

 In addition to these Acts, other Industry specific Act, Regulations, Codes of Practice should be considered.  In particular, the King Report on Corporate Governance, (King III and IV) should be considered.

POPI Act Compliance

Failure to comply with the requirements of the POPI Act could have dire consequences. Although one cannot and shouldn't shy away from the legal aspects of the Act, POPIA should be seen as an opportunity to identify, clean-up and manage information better, and in doing so, improve business processes.  Don't fall into the trap of implementing POPIA just to meet your compliance requirements.

Steps to take Immediately

Download the Act and draft regulations and become familiar with them.

Review all the pages on this website and keep in touch as this will be updated frequently.

Add yourself to our "keep-up-to-date with POPIA" mailing list. In keeping with the spirit of POPIA, we promise not to spam you or abuse your information. 

Appoint an Information Officer and ensure that he is aware of his roles and responsibilities.

Make decision makers and key personnel in your organization aware that the law has changed in accordance with the POPI Act and the severe consequences of non-compliance.

Conduct a current status risk assessment / information audit to establish data protection compliance level.

Document what Personal Information you currently hold, where it comes from, how it is to be used and who you share it with.

Produce a POPI Act policies and procedures manual and ensure that everyone who deals with Personal Information is aware of the legal implications of this Act. This manual is to include your organizations privacy policy with regard to:

  • Data collection (type of data, purpose, consent, legal aspects, minimality, and transparency) Data access and accuracy (correct, complete, reliable and process of updating information)
  • Data usage and restrictions (purpose, relevance, restrictions, legality, permission, limitations)
  • Data storage (physical, off-site, electronic, back-up, cloud storage)
  • Data security safeguards (physical, electronic, network, password control, disaster recovery. Disclosure (legality, consent, data subject awareness, data request handling)
  • Responsibilities (All directors, top management, Information Officer, personnel dealing with Personal Information, vendors, contractors, suppliers)
  • Complaints (process, handling, legalities, transparency)
  • Retention (retention schedule) Destruction (destruction schedule) Implement staff awareness training (all current staff, new appointees and regular refresher training).

Put procedures in place to monitor and enforce compliance.


The POPI Act is a new all-inclusive piece of legislation, a privacy law,  that safeguards the integrity and sensitivity of private information. Companies are required to carefully manage the data capture and storage process of Personal Information.

The defition of Personal Information as set out in the POPI Act is as follows:

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

  1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or 5 mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  2. information relating to the education or the medical, financial, criminal or employment history of the person;
  3. any identifying number, symbol, e-mail address, physical address, telephone 10 number, location information, online identifier or other particular assignment to the person;
  4. the biometric information of the person;
  5. the personal opinions, views or preferences of the person;
  6. correspondence sent by the person that is implicitly or explicitly of a private 15 or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  7. the views or opinions of another individual about the person; and
  8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information 20 about the person;

The Act ensures that Personal Information of both individuals and juristic entities is sufficiently protected, used in a manner for which it was gathered and that facilitates transparency around the following:

  • What is done with the personal information;
  • Why and how it is processed (from collection, to usage, sharing, disposal, archiving, etc);
  • Who the personal information is shared with (third parties – both locally and internationally, other legal entities);
  • What types of personal information is processed and for what purpose.
  • Privacy is about ensuring that both individuals and juristic entities are aware of what is being done with their personal information. The South Africa Constitution emphasizes the right to privacy. This means that ultimate ownership of the personal information resides with the individual/juristic entity concerned.