POPI is a South African law that ensures that any personal information that you give out is protected. The law stipulates a set of rules that organisations have to follow in terms of how they collect, use, keep or remove data.
POPIA stands for Protection of Personal Information Act (often called the POPI Act or POPIA)
The law has been effective since 1 July 2020
POPI applies conditions for the lawful processing of personal data of South African citizens and those living in South Africa.
Any person or organisation who keeps records relating to personal information, such as an individual's name, signature, address, phone number, credit information or date of birth, unless those records are protected by other legislation more stringently, need to comply with the Popi Act. It sets the minimum standards for the protection of personal information.
The purpose of Popi Act to is protect personal information, striking a balance between the right to privacy and the need for the free flow of information as well as the access to information, whilst regulating how personal information is processed. It is intended to protect consumers and legitimate businesses from those that don't comply.
Ensure your employees are aware of the POPI Act and adhere to the regulations set out.
Assess how your clients, and employees’ data is collected, stored, processed, and eventually disposed of.
Review, create and setup the correct policies and procedures to ensure the compliant processing of personal information.
Policies and procedures should be assessed or audited by a POPI specialist to make sure it aligns with the requirements of the POPI act.
Adequate communication and training should be implemented to your staff with regards to all policies and procedures.
The South African Information Regulator may institute a fine or imprisonment of up to 12 months. (Section 107 of the POPI Act)
In some cases, depending on the Sections of the Act you do not comply with, or if convicted of an offence in terms of the Act, you may be liable for a fine of up to 10 million or up to 10 years imprisonment. If your clients are impacted by a data breach, POPIA even empowers them to take civil action for damages.
POPI is the act of protecting Personal Information, implying that all the policies, procedures, processes and practices in the organisation relating to personal information, are in fact doing POPI. POPIA is merely the name of the law, and so you cannot “do” POPIA. To comply with POPIA, you need to implement a POPI programme.
POPI does not apply to a deceased person because the definition of 'personal information' requires that the data subject (i.e. the person) be 'living'.
POPI is the South African data privacy law and it stands for the Protection of Personal Information Act, 2013, also referred to as POPIA. It governs when and how businesses, companies or organisations collect, use, store, delete and otherwise handle personal information.
No, the POPI Act does not apply to social media as it does not protect public information. Any information that you share publicly will automatically fall outside of this Act's protection. If you list your email address or mobile number on your any social media platforms, and that information is publicly available, it is then free for companies to collect and use.
The role players are :
The data subject: the person to whom the information relates.
The responsible party: the person who determines why and how to process, such as profit companies, non-profit companies, governments, state agencies and people. Responsible for the lawful processing of personal information.
The operator: a person who processes personal information on behalf of the responsible party such as an IT specialist or lawyer.
The Information Officer of an organisation is the “go to” person when it comes to information. By default, every South African organisation has one. Did you know that the Promotion of Access to Information Act or PAIA automatically designates a person in each organisation as an officer. This person is different to the Chief Information Officer or CIO. That person is specifically called an Information Officer.
Every organisation/company, whether public or private bodies have one. The national department, provincial administration, or municipality all have an information officer. Companies, CCs, partnerships, and trusts are not exempt, they all have an information officer by default.
The role of the information officer is to encourage compliance by the company with the conditions for the lawful processing of personal information in terms of POPIA
1. Deal with requests made to the organisation in terms of POPIA;
2. Work with the Information Regulator in relation to investigations conducted in relation to the body; and
otherwise ensure compliance by the body with the provisions of POPIA
3. Make sure a compliance framework is developed, implemented, monitored, and maintained
4. Develop, monitor, maintain and make available a PAIA manual,
5. Ensure that a personal information impact assessment is done in the company so that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information
5. Subject to the exemptions already mentioned, a manual is developed, monitored, maintained, and made available as prescribed in terms of POPIA and PAIA
6. Develop measures and adequate systems within the organisation to process requests for access to information
7. Ensure that internal awareness sessions are carried out regarding the provisions of POPIA.
The National Assembly voted in favour of Advocate Pansy Tlakula being appointed as the National Information Regulator.
You can report a Popi violation by e-mailing .
Your complaint will be dealt with by an adjudicator. If you are not happy with the determination of the adjudicator, you can still approach the Information Regulator for another ruling.
- Personal or household activity
- Processing any personal information that has been de-identified.
- Crime investigation by the SAPS
- Terrorist and related activities
- Journalists, authors and artists freely expressing themselves
- Historical, statistical or research activities
- Public Interest to process information outweighs privacy of Data Subject
- Processing personal information for purely journalistic, artistic or literary purposes
A data subject is an individual whose personal information has been processed. When you keep someone's personal data on file, that person becomes a a data subject, and you have to respect their data subject rights.
Where a WhatsApp group is created to facilitate family related or personal matters, such as between family, friends or acquaintances, then POPIA will not apply.
If a WhatsApp group is created by a business for marketing purposes, business are required to obtain consent before adding the relevant person to the WhatsApp group.
Where a business makes use of a contact list or mailing list to broadcast messages through WhatsApp, consent from those individuals who do not constitute existing customers of the business is required.
One of the the aims of the POPI Act is to protect consumers by safe guarding their personal information. The Act helps protect consumers from having their money and identity compromised or stolen as well as keeping their personal information private. It can only be collected and/or used where there is a lawful justification for it.
The POPI Act regulates direct marketing using electronic communication and the Consumer Protection Act (CPA) regulates all forms of unsolicited direct marketing activities. Organisations using this type of marketing should make use of consent forms to “opt-in” rather than just offering the “opt-out” option.
PAIA and POPIA are both "information" laws, with the former protecting the right to access and freedom of information and POPIA protecting the unjustified exposure of personal information. Both Acts compliment each other in ensuring that information is managed lawfully.
The POPI Act is a South African law extending its protections on collected information to companies and corporations as well as individuals. The POPI Act applies to everyone in South Africa who processes the personal information of any South African citizen or organisation while the GDPR is a European Union (EU) law relating to the personal information of individuals while
The POPI Act states that call centers are obliged to only use information for the purposes for which it was originally collected. POPIA does not prohibit cold calling however companies and consumers need to be aware that the Consumer Protection Act (CPA) imposes prohibitions on cold callers.