POPIA

In 2013 the Protection of Personal Information Act (POPIA) was promulgated to give effect to the constitutional right of privacy of information in South Africa. The law governs when and how organisations collect, use, store, delete and otherwise handle personal information.

​

Compliance with POPIA came into effect on 1 July 2020 but all organisations that process personal information was given one year grace period to become compliant. This means that all organisations should have been compliant by 1 July 2021.

​

A quick breakdown of what POPIA is and means to your business:

​

• POPIA practically came into effect on 1 July 2020

• Enforcement of POPIA will happen from 1 July 2021

• POPIA applies to any company or organization processing personal information in South Africa

• POPIA creates eight conditions for lawful processing of personal information

• POPIA creates various rights for individuals and businesses (data subjects) regarding the personal information they provide, including but not limited to the right to access, right to correction and right to deletion of personal information

• POPIA creates a definition for 'personal information' and 'processing' that is so wide that it just about includes anything you can do with any type of information obtained from role players within an organisation

• Obtaining consent of the data subject to process their personal information is central to POPIA. It is up to websites, companies and organisations (“responsible parties”) to prove that their processing is lawful and that the necessary consents have been obtained from data subjects to process their personal information

• Non-compliance with POPIA can lead to fines up to Ten Million Rand and even imprisonment

• POPIA creates more stringent requirements for direct marketing