Knowing the basics is a good place to start
Start by reading through the what, when, why FAQ.
Then use our Get Informed page to get more information and to find suppliers who can help.
If you’re feeling overwhelmed or would prefer a personalised overview, you may want to book a POPI Intro hour.
What is POPI all about?
POPI refers to South Africa’s Protection of Personal Information Act. This new law regulates the Processing of Personal Information.
“Personal Information” broadly means any information relating to an identifiable, living natural person or juristic person (companies, CC’s etc.). This includes, but is not limited to:
- contact details: email, telephone, address etc.
- demographic information: age, sex, race, birth date, ethnicity etc.
- history: employment, financial, educational, criminal, medical history
- biometric information: blood type etc.
- opinions of and about the person
- private correspondence etc.
“Processing” means broadly anything done with the Personal Information, including collection, usage, storage, dissemination, modification or destruction (whether such processing is automated or not).
Some of the obligations under POPI are to:
- only collect information that you need for a specific purpose
- apply reasonable security measures to protect it
- ensure it is relevant and up to date
- only hold as much as you need, and only for as long as you need it
- allow the subject of the information to see it upon request
When will POPI affect me?
The Act was signed into law in November 2013. The Information Regulator was formally introduced in February 2017. The commencement date for the act is 1 July 2020 after which a compliance grace period of 1 year will exist. All organisations that process Personal Information will have to comply with the Act by 1 July 2021.
There is a mechanism by which the grace period could be extended to a maximum 3 years, but there is no indication whether this will be done. Section 114
You can read about the Information Regulator here.
Does POPI really apply to me?
Accountability for compliance rests with a Responsible Party, meaning a public or private body or any other person which,
alone or in conjunction with others, determines the purpose of and means for
processing personal information. Generally, the Responsible party must be resident in South Africa or the processing should occur within South Africa (subject to certain exclusions) Section 3(1)
There are cases where POPI does not apply. Exclusions include: Section 6
- purely household or personal activity
- sufficiently de-identified information
- some state functions including criminal prosecutions, national security etc.
- journalism under a code of ethics
- judiciary functions etc.
Why should I comply with POPI?
POPI promotes transparency with regard to what information is collected and how it is to be processed. Openness increases customer trust in the organisation.
POPI compliance involves capturing the minimum required data, ensuring accuracy, and removing data that is no longer required. These measures should improve the overall efficiency and reliability of the organisation’s databases. Less data also means less storage / archiving cost and a reduced magnitude in the event of a breach (the safest data is that which you don’t unnecessarily store in the first place).
Compliance demands identifying Personal Information and taking reasonable measures to protect the data. This will minimise the risk of data breaches and the associated public relations and legal ramifications for the organisation.
Non-compliance with the Act could expose the Responsible Party to a penalty of a fine and / or imprisonment of up to 12 months. In certain cases, the penalty for non-compliance could be a fine and / or imprisonment of up 10 years. Section 107
What do I do about it?
Compliance is not a one-size-fits-all exercise.
We’re available to help you get started, book some time with us.