07 Aug 2020

The Protection of Personal Information Act (POPIA) is here- A Quick Run Down

by Verlie Oosthuizen, Partner, Durban,

South Africa’s Protection of Personal Information Act 4 of 2013 (hereafter referred to as “POPIA”), is now a reality and will affect business practices across the board. POPIA governs the processing of personal information with the central aim of upholding a person’s right to privacy as provided for in the Constitution. POPIA achieves this by placing obligations on persons who request, collect, store, process and otherwise use personal information relating to another person, in order to protect such person from suffering potential damage or harm. More importantly POPIA seeks to achieve this by introducing penalties which will cater for instances of a breach of privacy of a person’s personal information.


POPIA was signed into law in 2013, and certain limited provisions of the Act came into operation at that time, These included the establishment of an Information Regulator via the appointment of the Chairperson of the Information Regulator in 2016 (Adv. Pansy Tlakula) and the publication of the regulations in 2018. These limited sections were not related to the actual enforcement of POPIA which require organisations and persons to be in compliance with the provisions and result in penalties when found to be non-compliant.

The Information Regulator attributed delaying the commencement of these provisions, to a lack of sufficient resources to best undertake an inevitable influx of complaints and investigations. She stated that until such a time that her office was equipped, the provisions should not be commenced. A formal request was later made by the regulator for POPIA to commence on 01 April 2020.

The COVID-19 outbreak and commencement of the nationwide lockdown became a driving force for businesses being reliant on all forms of electronic communications and data processing to conduct business, resulting in a surge in national and international data traffic increasing the risk of security breaches and data leaks which can compromise identities and personal information. It is due to these consequences that President Cyril Ramaphosa announced that on 01 July 2020, the additional provisions of POPIA will come into force and effect.

What this effectively means is that, from 01 July 2020 the remaining sections of the Act require that persons responsible for the processing of another’s personal information ( a responsible party) will have to be in compliance with the conditions of lawful processing of personal information or they will be found to be non-compliant with POPIA and subject to its penalties.

The following sections of POPIA came into effect on 01 July 2020;

  • Sections 2 -38 - which include the provisions dealing with the conditions for the lawful processing of personal information and the provisions relating to the exemption from conditions for processing personal information.
  • Sections 55 -109 –which include prior authorisation for processing of personal information, codes of conduct, rights of individuals in respect of direct marketing, transborder information flows, enforcement provisions and offences and penalties.
  • Section 111 – relating to fees in terms of POPI
  • Section 114 (1), (2) and (3) –which allows for a compliance period of 1 year before full POPI compliance is mandatory. This means that businesses have until 30 June 2021 to ensure full compliance with the provisions of POPI.

Although POPIA provides for a grace period, businesses should not squander this timeframe and rather endeavour to be fully compliant as soon as possible.


While it is important to note that compliance with the Act is not a tick-box exercise and non-compliance can result in serious consequences, these are a few examples to adopt to ensure compliance and the lawful processing of personal information.

The responsible party should:

  • Appoint an information officer- POPIA requires the appointment of an information officer (who by default is the CEO or head of the business in the absence of an appointment). This person is required to be registered with the Information Regulator and this key role player drives the culture of POPIA compliance within the business.
  • IDENTIFY and assess how the personal information in the business is currently processed. Develop a compliance framework.
  • AUDIT current POPIA policies to assess compliance gaps in processing procedures and processes
  • AMEND current policies if required. A proper gap analysis will help identify which processes and policies have to be put in place. These may include the business privacy policy and terms and conditions documents, updating employment contracts, or even establishing a tailor made POPI policy. Providing training to employees regarding applicable POPI obligations
  • IMPLEMENTATION of the compliance policies and procedures.


Businesses generally have mechanisms in place to ensure the control of flow of personal information within office networks and physical spaces however when working remotely employees bear the responsibility to also ensure that the personal information remains protected. Remote working has added another dimension to the lawful processing requirement because the Act may allow for attribution of liability to fall on the employer for data breaches committed by its employees. Here are some remote workplace tips to follow:

  • Employees are responsible for the safe and secure handling of all hardcopy records and information taken off site, or accessed from an offsite location.
  • Removal of any documents must be done with required approval from management and done when absolutely necessary for carrying out duties
  • Remove copies and originals to remain in the office folders. Account for all documents removed: description, reason and time of removal of documents.
  • When travelling keep the documents sealed in a brief bag or suitcase and should remain under the supervision of the employee that has removed such documents at all times. Also at home or remote office the documents to be stored in a safe/ secure cabinet or area.
  • Electronics such as laptops, computers and cellphones should be password controlled and any personal information on hard drives should be encrypted.
  • Other reasonable safeguards – anti-virus software and personal firewalls to be installed.
  • Employees must only use software approved by the business IT Department.
  • When working in a remote environment computers or laptops should be logged off when unattended. To not share business wireless technology for personal use.
  • Video conferencing: all participants must be notified of the purpose thereof and consent to the meeting being recorded,
  • Any personal business information must be removed from view when using camera view or screen sharing. Cameras and microphones must be switched off when not in use.
  • Emails: use work related email accounts for work related purposes.
  • If processing personal information through work email accounts ensure that the files are encrypted and avoid using personal information in subject lines.
  • Ensure that emails are sent to the correct recipients, particularly emails involving large amounts of personal information.

All persons bound by the provisions of POPIA have until no later than 01 July 2021 in which to become compliant with the provisions of the Act, and organisations should not underestimate how quickly the 12 months grace period will lapse considering the processes that need to be adopted for compliance to be possible. The infringement of the provisions has far-reaching consequences such as a maximum of R10 million fines per infringement, 10 years imprisonment or both a fine and imprisonment.