Protection of Personal Information Act No. 4 of 2013

The POPI Act has been a long time in the making and an even longer time in the coming. It was first enacted in 2013 and is yet to be fully implemented, although the vast bulk of its provisions will become enforceable on 1 July 2021, assuming no further extensions to compliance are afforded.

What is the POPI Act?

The POPI Act is South Africa’s legislative solution to data protection.

What does the POPI Act require?

The POPI Act sets out the circumstances under which Personal Information may be lawfully processed and provides criteria which must be met in order to ensure ongoing compliance with the provisions of the POPI Act.

What are the criteria for lawful use of Personal Information?

In broad, general terms, the POPI Act requires the following 8 (eight) criteria to be adhered to in order for the lawful processing of Personal Information to be ensured;

  1. Accountability (Section 8).
  2. Processing limitation (Sections 9, 10, 11 and 12)
  3. Purpose specification (Sections 13 and 14)
  4. Further processing limitation (Section 15)
  5. Information quality (Section 16)
  6. Openness (Sections 17 and 18)
  7. Security safeguards (Sections 19, 20, 21 and 22)
  8. Data subject participation (Sections 23, 24 and 25)

What is Personal Information?

Personal Information is information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

(b) information relating to the education or the medical, financial, criminal or employment history of the person;

(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

(d) the biometric information of the person;

(e) the personal opinions, views or preferences of the person;

(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

(g) the views or opinions of another individual about the person; and

(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

What steps must my business take to ensure is it POPI Act compliant?

  1. Your business must appoint an Information Officer – this may be someone from within the ranks of the organisation, but it must be someone with sufficient authority to implement procedures and policies within the organisation.
  2. Draft and publish a Privacy Policy.
  3. Review existing agreements between your business and any 3rd parties and amend such agreements, where necessary, to cater for the requirements of the POPI Act.
  4. Ensure ongoing compliance with the provisions of the POPI Act when processing any Personal Information.
  5. Report any breaches of the POPI Act to the Information Regulator.

What can happen if my business ignores the POPI Act?

Non-compliance with the requirements of the POPI Act can result in a fine of between R1 million and R10 million and/or imprisonment from between 1 to 10 years. Additional consequences could include having to pay compensation to the Data Subject who has suffered damages as a result of the non-compliance and severe reputational damage (possibly the most underestimated consequence of a POPI Act breach).

For further information on the POPI Act, send us an email at and we would be happy to advise further.