An introduction to the Protection of Personal Information Act (or POPI Act or POPIA) | Western Cape Government

An introduction to the Protection of Personal Information Act (or POPI Act or POPIA)



An introduction to the Protection of Personal Information Act (or POPI Act or POPIA)


Purpose of the Act

The increasing cases of theft and misuse of people’s personal information has led to the need to promulgate regulations to protect personal information and one’s right to privacy. The POPI Act sets out the minimum standards regarding accessing and ‘processing’ of any personal information belonging to another. The Act defines ‘processing’ as collecting, receiving, recording, organizing, retrieving, or the use, distribution or sharing of any such information.


The POPI Act (POPIA) was signed into law in November 2013 and the remaining provisions of the Act were due to come into effect on 1 April 2020, however given the current Covid-19 pandemic and emergency need to redeploy efforts, these were delayed. The President issued a Proclamation on 22 June 2020, commencing some sections of the POPI Act which came into effect on 1 July 2020, namely sections 2 to 38, 55 to 109, 111 and 114(1), (2) and (3). These sections largely deal with the application and exclusion provisions, the lawful processing of personal information and respective exemptions, the Information Officer, prior authorization, codes of conduct and provisions regulating direct marketing. Sections 110 and 114(4) are due to come into effect on 30 June 2021.


Defining personal information

Personal information is any information that may identify a person such as a name, surname, identity number, contact number, email address, religion, medical history, education, financial or any other information that is unique to an individual.


How this Act impacts you as a business owner

All organisations in South Africa (of any size) and individuals that are in a position to obtain, handle and store the personal information of another individual, whether it be in terms of their employment or as suppliers or service providers, must adhere to the requirements of the Act and implement steps to safeguard this information. Companies have 12 months to get their systems and processes in place to comply with the Act, in this case 1 July 2021. Non-compliance could result in not only reputational damage and/or potential civil damages claims, but punitive fines up to R10 million or 10 years imprisonment, or a combination thereof.


Ensuring compliance to POPIA in your business