The Act deals specifically with the protection and handling of personal information and data that is processed and received by both public and private individuals and institutions.

The aim of the Act is to enable all institutions across South Africa to securely store and regulate our personal information that has been obtained. The Act sets out conditions in order for companies to lawfully process all personal information of data subjects.

What data does it entail?

Any data that can be used to identify a living and natural person and where applicable existing juristic persons.

Examples are: race, gender, sex, educational, financial, criminal and / or employment history, identity number, e-mail address, etc.

Who needs to comply?

EVERYONE. All companies or individuals who deal with personal information will be affected by this Act.

What needs to be done in order to be complaint?

The Act proposes that a detailed investigation must be conducted pertaining to the type of information that is gathered and stored by ALL companies and individuals. They must classify consumer data and identify if it constitutes as โ€œpersonal informationโ€. Once this has been established, steps and polices must be implemented stipulating how you must handle and deal with the lawful processing of personal information and regulation thereof.

You can do this by appointing an information officer / compliance advisor who will conduct an information impact assessment. The information officer will develop a compliance framework which will be inclusive of processes, compliance policies and codes of conduct related to the handling of personal information. Your job, once this has been done, is to implement the policies at your place of business.

How much time do you have?

The deadline to be fully POPI complaint is 1 July 2021.

Consequences for not complying?

You are considered non-complaint if:

  • Hinderance, obstruction or unlawfully influencing the Regulator;
  • Failure to comply with an enforcement notice;
  • Failure to attend hearings or lie under oath;
  • Act unlawfully in connection with account numbers; or
  • Do not have any policies in place to regulate the processing of personal information.

More serious offences โ€“ a maximum penalty in the form of a fine for R10 million or imprisonment for a maximum period of up to 10 years or both.

Less serious offences โ€“ a maximum penalty in the form of a fine or imprisonment for a maximum period of up to 12 months or both.

The offences will be established on a case-to-case basis.

Should you be interested in using our services to reach your POPI Compliance before 1 July 2021 or require more information, do not hesitate to contact our team of compliance advisors on: /

This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your legal adviser for specific and detailed advice.

About the author