Skip to content

South Africa’s Protection of Personal Information Act - What is POPI all about?

popiPOPI refers to South Africa’s Protection of Personal Information Act which seeks to regulate the Processing of Personal Information. Personal Information broadly means any information relating to an identifiable, living natural person or juristic person (companies, CC’s etc.) and includes, but is not limited to:

  • contact details: email, telephone, address etc.
  • demographic information: age, sex, race, birth date, ethnicity etc.
  • history: employment, financial, educational, criminal, medical history
  • biometric information: blood type etc.
  • opinions of and about the person
  • private correspondence etc.

Processing means broadly anything that can be done with the Personal Information, including collection, usage, storage, dissemination, modification or destruction (whether such processing is automated or not).

Some of the obligations under POPI are to:

  • only collect information that you need for a specific purpose
  • apply reasonable security measures to protect it
  • ensure it is relevant and up to date
  • only hold as much as you need, and only for as long as you need it
  • allow the subject of the information to see it upon request

When will POPI affect me?

The Act was signed into law in November 2013. We are now awaiting a commencement date for the act. After the commencement date, a compliance grace period of 1 year will exist, which may be extended to a maximum 3 years.

Does POPI really apply to me?

Accountability for compliance rests with a Responsible Party, meaning a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. Generally the Responsible party must be a resident in South Africa or the processing should occur within South Africa (subject to certain exclusions).

There are cases where POPI does not apply. Exclusions include: 

  • purely household or personal activity
  • some state functions including criminal prosecutions, national security etc.
  • journalism under a code of ethics
  • judiciary functions

Why should I comply with POPI?

POPI promotes transparency with regard to what information is collected and how it is to be processed. This openness is likely to increase customer confidence in the organisation. POPI compliance involves capturing the minimum required data, ensuring accuracy, and removing data that is no longer required. These measures are likely to improve the overall reliability of the organisation databases. Compliance demands identifying Personal Information and taking reasonable measures to protect the data. This will likely reduce the risk of data breaches and the associated public relations and legal ramifications for the organisation. Non-compliance with the Act could expose the Responsible Party to a penalty of a fine and / or imprisonment of up to 12 months. In certain cases the penalty for non-compliance could be a fine and / or imprisonment of up 10 years.

How can Foregenix Help you:

  • POPI Workshop to be conducted to bring an understanding on what POPI is and how it can affect the business, assisting to get all the stakeholders onto the same page
  • General Security Consulting to assess, rectify and remediate the environment and or process
  • Foregenix can conduct a Security GAP Analysis to assess your environment and security posture
  • Out of the GAP analysis there will be recommendations that will need to be actioned
  • POPI Awareness campaigns to be run in the business
    • POPI Online Training
    • Internal and External Penetration Testing can be conducted to show where the vulnerabilities reside
    • Vulnerability Scanning can be conducted as a security measure
    • Incident Response and Readiness Testing
      • Planning and Simulation
      • Forensic Investigation skills are available if required

Please get in touch to discuss how we can help you.