POPI Act Compliance

What is POPI Act?

POPI Act stands for Protection of Personal Information Act which was passed into law in 2013. From 2014 various sections of the Act came into force. In July 2020 the president announced that the remaining sections of the Act will come into effect in July 2021. The purpose of Act to is protect personal information, to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed.

What is regarded as personal information?

In terms of the POPI Act it is data that can be used to determine your identity. This includes, but is not limited to: race; gender; pregnancy status; marital status; nationality; ethnical group; social origin; skin colour; sexual orientation; age; physical or mental health; disability; religion; religious persuasion; cultural, language, educational, medical, financial, criminal or occupational history; identity numbers; email address; residential address or residential area, postal address; vehicle registration number; banking details; telephone number; biometrical information and your personal opinion or likes and dislikes.

To whom does the Act apply?

The Act applies to anyone who keeps any type of records relating to the personal information of anyone, unless those records are subject to other legislation which protects such information more stringently. It therefore sets the minimum standards for the protection of personal information. It regulates the “processing” of personal information. “Processing” includes collecting, receiving, recording, organising, retrieving, or using such information; or disseminating, distributing or making such personal information available.  The Act also relate to records which you already have in your possession. In effect the legislation introduces a framework for Information Governance.

Here’s an indicator of the typical impact of the Act on business operations,

What other legislation in South Africa regulates people’s privacy?

Although POPI Act will be the primary legislation on the protection of information, it is not the only law. Other acts regarding the protection of people’s information will have to comply with the regulations in the Act. The following existing act will remain valid but will have to be amended to make sure that they are compatible with POPI and that there is no duplication. The relevant acts are as follows:


  • the Electronic Communications and Transactions Act
  • the Promotion of Access to Information Act
  • the National Credit Act and Consumer Protection Act
  • Cybercrimes Act

What is the consequence of non-compliance?

Anyone who is found guilty of the following offences:

  • Any person who hinders, obstructs or unlawfully influences the Regulator;
  • A responsible party which fails to comply with an enforcement notice;
  • Offences by witnesses, for example, lying under oath or failing to attend hearings;
  • Unlawful Acts by responsible party in connection with account numbers;
  • Unlawful Acts by third parties in connection with account number.

May have maximum penalties a fine (which may be up to R10 million) or imprisonment for a period not exceeding 10 years or to both a fine and such imprisonment.  For the less serious offences, for example, hindering an official in the execution of a search and seizure warrant

What Is Your Company's Compliance Status?

In order to help you identify potential areas of weakness, we have prepared a quick survey that you can complete in a few minutes. We'll then give you feedback that will indicate your company's current compliance status. Click below to complete.

With Every Challenge Comes An Opportunity

Additional legal red tape is not welcome to an entrepreneur. Even so there is a opportunity to leverage the provisions of POPI Act to set information management systems that are founded on best practices. Such an approach will benefit your business as it grows.

Facilitating Business Success Stories