Applying the POPI Act to your business

Chanique Rautenbach


Associate | Attorney

If you didn’t already know, a significant portion of the POPI Act came into effect in South Africa on Wednesday, 01 July 2020. It will be important for companies to understand their obligations and duties in regard to the Act because failure to comply will carry heavy fines.

1. What is the POPI Act?

The Protection of Personal Information Act is an important bit of legislation because it gives effect to section 14 of our Constitution which says that everyone has the right to privacy.

The Act promotes the protection of all personal information that is gathered and processed by public and private organisations – and provides guidelines that help balance the right to privacy against other rights, such as access to information.

2. Why is the Act being implemented in stages?

Since it was passed in 2013 the POPI Act has gradually been put into operation. Some of the sections of that relate to the Information Regulator were implemented in 2014 but the Regulator only began operations in 2016. Naturally, many of the provisions of the Act require a great deal of preparation and so it has made sense to roll it out incrementally.

3. Which part of the Act came into effect on 01 July 2020?

The remaining sections of POPI that deal with the obligations by a “responsible party” that processes and stores “personal information” commenced on 01 July. The mandatory data breach notification provisions also became effective on that day.

These sections of the Act will essentially affect the way you deal with the information you collect, share and use via your marketing channels such as websites, e-mail marketing campaigns, telephonic marketing etc.

It also governs the manner in which you collect, store and utilise the personal data of your clients, personnel and potential clients. You will be expected to collect the data responsibly, store it securely, handle it ethically and communicate your intentions clearly.

In June 2021, the sections of the POPI Act that deal with the amendments of law and changes required to the Act will become effective.

4. By when must companies have everything in place?

Fortunately businesses will have a year to review, understand and activate their POPI compliant programs. Many larger companies have already appointed Data Compliance Officers / Chief Compliance Officers who will now begin explaining procedures and requirements to their colleagues.

Twelve months isn’t a lot of time, particularly when one considers that you will have to deal with a few fairly complex requirements such as Accountability; Processing limitation; Purpose specification; Further processing limitation; Information quality; Openness; Security safeguards; Data subject participation; Ts & Cs and more. So, it is advisable to begin consulting POPIA specialists as soon as possible.

5. Where should I start? What must I do?

The POPI Act is a wide-ranging compliance mechanism that will affect many areas of your business structure and operation. One’s first reaction upon hearing about new rules and legislation for organisations is to begrudge them as more “red tape”. However, it is important to remember that the POPI Act, in giving animation to an important section of our Constitution and Personal Rights, will be protecting you and your clients / members alike.

Whether you are a sole proprietor, company director, club manager, school principal or executive at an NGO, we encourage you to engage with our team who will be able to unpack the main parts of POPI compliance for you, and devise a strategy for meeting the requirements in time.

Would you like to discuss this article with me?

    I would like to discuss: