The new (improved) POPIA law

Don’t panic, no one is going to jail… yet…

It’s here, the Protection of Personal Information Act (POPI Act or POPIA) commenced on 1 July 2020. It was originally due to take effect from 1 April 2020 (an amusing date, but I digress), however, thanks to the appearance of an invisible enemy, namely CV-19, the roll-out was delayed. (So maybe it was an appropriate date, a case of ‘Just kidding!’?)

Now that the Act is in place, parties will be given a one-year transition period to comply. That sounds like a lot of time, but the roll-out of a comprehensive POPIA compliance plan can take between six months and two years to complete.

So, what is it, I hear you ask querulously?

Well, for those of you who have just come out of hibernation, POPIA refers to South Africa’s Protection of Personal Information Act, whose aim is the control and Processing of Personal Information.

When we talk Personal Information, that broadly means any information relating to an identifiable, living natural person or juristic person; a body recognised by the law as being entitled to rights and duties in the same way as a natural or human person, the common example being a company, CCs etc. and includes, but is not limited to information around contact details: email, telephone, physical address, location; demographic information: age, sex, race, birth date, ethnicity, sexual orientation; the employment, financial, educational, criminal and medical history of the person/entity, including blood type and other biometric information.

Also, of interest, included in the POPI Act is the capture of personal opinions, views or preferences and opinions of and about the person (yeah, that Twitter comment and or rant on FaceBook…), as well as private correspondence etc.

However, POPIA, unlike the GDPR, (that’s General Data Protection Regulation) does not apply extraterritorially, that is, it only pertains to organisations in South Africa. In essence, if you reside in South Africa or you process personal information within the country, then you need to comply with POPIA. (Although, if you are GDPR compliant, chances are you’re already pretty much POPIA-compliant). In addition, the processing of some personal information is excluded. For example, if you are processing purely for personal reason, then POPIA won’t apply to you.

Some instances where POPIA does not apply, include:

  • purely household or personal activity
  • some state functions including criminal prosecutions, national security etc.
  • journalism under a code of ethics
  • judiciary functions

While both GDPR and POPIA enforce the law for managing and storing personal information (as well the guidelines for alerting third parties if there are safety violations) there are variances, as the safety regulations differ a little.

GDPR: “The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security and appropriate to risks represented by the processing and the nature of the personal data to be protected.”

POPIA: “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures.”

Also, penalties differ. Under the GDPR, a fine of up to four percent of annual global turnover or €20-million, whichever is greater, can be leveraged. Try paying that as a South African company!

With the POPIA Act, being non-compliant, the responsible party could run the risk of a penalty of a fine and/or imprisonment of up to 12 months, or under certain conditions, imprisonment of up to 10 years.

While this really has the overtones of George Orwell’s ‘1984’, there is an upside: The Act is also aimed at providing rights to people when it comes to unwanted electronic communications. That’s gotta be good, right? The POPIA legislation essentially deems your personal information to be “precious goods” and therefore aims to grant you, as the owner of your personal information, certain rights of protection and the ability to exercise control over information that is gathered.

You see, included in the Act, are guidelines about direct marketing. This means that you can’t just send any unsolicited messages willy-nilly, or emails to consumers without them opting in.

Marketing is one of the business departments that will be most affected by POPIA, meaning you have to be fully clued up on what POPIA entails and how it’ll affect your day-to-day job.

Think ‘consent’ and you basically have POPIA compliance. People must opt-in to receiving your communication, and you’re only permitted to send them the kind of data they have opted-in to receiving. For example, you cannot send a monthly newsletter to a user who only wants to obtain information linked to their individual investment portfolio. By the same token, users need to be able to opt-out easily from any further communication.

In addition, when asking people for their personal information you must reveal why you need this information, how it will be used and whether it will be passed on to third parties.

While some limitations on direct marketing are imposed by POPIA, (emails, cold calling and SMSes) there are various other ways in which you can market your products to prospects without concerns related to violating the Act.

For example, social media marketing. As explained by Deloitte, if an individual interacted with you, or is following your company on social media, they already anticipate hearing from you, so any related communication within this format or platform, is not considered unsolicited.

It is important to note that the POPI Act is not only applicable on forms that are filled in manually, but also any cookies on websites used for analytics, advertising and any chat boxes or pop-ups. All compliant websites have a clear user opt-in, acknowledging that they have given consent to the website (the business presented in the website) to collect, process and store their gathered information.

The Act will also affect the way you notify stakeholders; if a security or privacy breach has occurred, and personal information is compromised, you will have to notify third parties as soon as possible.

While the possibilities to implement POPIA are many, it’s important to take the right one for your organisation over this 12-month period.

So, what to do, to prevent that awful sound of a prison cell door thudding shut behind you? (Only kidding, they close like any other door.)

Seems there are benefits to complying with the Act. According to, consumer studies show that in 90% of cases, people feel safer about doing business with companies that are transparent about how they use your info, increasing customer confidence in the organisation. Wouldn’t you be happier if you knew how it was being stored, and why? Companies who take these measures are likely to have a more reliable database, which in itself, has numerous upsides.

With POPIA compliance, it’s not a case of ‘one size fits all’, as every organisation needs to implement different measures. For example, an SME’s requirements are very different to that of a medium or large-sized organisation.

Every organisation or company, no matter what size has some person who holds the role of Information Officer by default. (Some call them ‘Know all’, other times they have a clearly defined role and official title.) This is the person responsible for ensuring that your organisation complies with POPIA.

So, that person who always jumps on the bandwagon ensuring you follow policies etc, may be the ideal Information Officer. If that’s you, then you need to ask if you are happy with that responsibility, do you want to continue to be the Information Officer? If you’re not, then the question is: Who should be?

Ultimately, compliance accountability rests with a responsible party, which could be a public or private concern or any other person who, individually, or in combination with others, defines the objective of, and method for processing personal information within the company. As a rule, the elected party or person/s must be resident in South Africa or, the processing should occur within South Africa (subject to certain exclusions).

Also, further actioning is dependent on the foundations already laid to protect personal information, and, while some companies may have many procedures in place, others may be entirely new to this exercise.

Managing information is the crux of the process. You’ll have to categorise any consumer data that you hold and identify and determine whether it can be construed as ‘personal information’. So too, any ‘records’ and ‘sensitive’ information you might have, you’ll have to identify, as different criteria exist for handling personal information and non-personal information.

Broadly, processing info includes anything that can be done with the Personal Information, including collection, usage, storage, dissemination, modification or destruction (whether such processing is automated or not).

The POPI Act involves capturing the minimum required data, certifying accuracy, and removing data that is no longer required. The Act includes the following guidelines: ensure that the info you collect is needed for a specific purpose and apply practical security measures to safeguard it. Also, make sure it’s accurate, relevant and up to date and don’t be overzealous, only hold as much as you need for as long as you need it; no reason to hoard here. If the subject asks, they must be allowed access to the information and to see it upon request.

In brief, what you need to do:

Appoint an information officer: If the organisation does not already have one, the first step to compliance would be to appoint an information officer, in line with the requirements set out in POPIA.

Clarity of definition: Make sure everyone in the company, from the top down, understands what data privacy legislation entails and what is required of them, to ensure effective compliance.

Conduct self-audits: When staff are informed, conduct self-assessments and audits throughout the organisation, within each business unit. It is important to understand what, how, by whom information is collected. Also, what it is used for, how it is stored and processed and how it is retained and destroyed. Most importantly, whether it was collected with the requisite consent? After this, the company will be better able to identify gaps and produce a clear gap analysis and risk assessment report.

Develop a compliance protocol: An appropriate gap analysis will help pinpoint processes and policies to be put in place, which may include:

  • updates to employment contracts
  • updates to supplier agreements
  • changes to marketing practices (opt-in and opt-out best practice) and more.

Implement: Once implemented, the compliance framework should be monitored and maintained and ensure proper implementation of new policies and procedures through in-depth training, awareness campaigns, annual re-training and compliance audits.

In a nutshell, POPIA is a code of conduct for all businesses. While companies will be affected by the Act, it will impact specifically on those that deal with a large amount of personal information — think banks, insurance companies, medical aids, etc. That’s not to say that if you are a smaller concern that you will be able to dodge the Act, as all companies need to have systems in place to deal with personal information.

When in doubt, find out!

Disclaimer: While listed sources have been referenced, we cannot be held responsible for incorrect information being unwittingly relayed. Please consult the government website for confirmation, or for any queries.




To The ByDesign Newsletter

No spam, notifications only about new products, updates.


The Customer Journey