POPI Info

What is POPI?
POPI is South Africa’s data privacy law and it stands for the Protection of Personal Information Act, 2013. It is sometimes also referred to as POPIA (Protection of Personal Information Act). It governs when and how organisations collect, use, store, delete and otherwise handle personal information.
What is personal information under POPI?
Generally speaking, personal information is any information that can be used to personally identify a natural or juristic (i.e. organisations) person. This information about a person includes, but is not limited to:
  • Name & Age
  • Race
  • Gender / Sexual Orientation
  • Pregnancy
  • Marital Status
  • National / Ethnic / Social origin
  • Physical or Mental health
  • Disability
  • Religion / Beliefs / Culture
  • Language
  • Educational / Medical / Financial / Criminal Or Employment history
  • ID number
  • Email address / Contact numbers
  • Location / Physical address
  • Photos / Video footage / Voice recordings / Biometric information
  • Personal opinions / Views or Preferences
Who does POPI apply to?
POPI applies to all local and foreign organisations processing (i.e. collecting, using or otherwise handling) personal information in South Africa.
What do the final POPI regulations deal with?
  • How a data subject can object to the processing of their personal information.
  • How a data subject can request the correction or deletion of information.
  • The responsibilities of an information officer.
  • How to apply for the regulator to issue a code of conduct.
  • How to request marketing consent.
  • How to submit a complaint to the regulator.
  • How the regulator will act as a conciliator in investigations.
  • What the regulator must do before it investigates you.
  • How the regulator will try to settle complaints.
  • How the regulator will conduct assessments.
  • How the regulator will notify people during investigations.
What is POPI compliance?
You will need to establish measures that ensure that you only collect, use, store, delete and otherwise handle personal information in permitted ways and that it is appropriately protected from unauthorised access or loss.
The measures that each organisation employs will be different, but in practice, it will mean more policies and procedures for your organisation and you will need to inculcate a culture of data protection in your organisation.
Does POPI provide any benefit to businesses?
POPIA provides the opportunity to analyse and have more control over the data handled within your organisation and to better understand its purposes. As data is an increasingly valuable resource, better data management can increase the efficiency and effectiveness of any business.
What does POPI mean for consumers?
Consumers will benefit from POPI’s requirements in that their personal information must be protected and it can only be collected or handled where there is a lawful justification for doing so. POPI gives consumers specific rights in respect of organisations handling their personal information and it gives consumers greater control over their personal information. Consumers are informed about what personal information is collected, by who and why so that consumers are able to make informed decisions.
Who regulates POPI?
POPI is regulated by the Information Regulator.
What are the fines and penalties for non-compliance?
The fines and penalties vary depending on the offence, with a maximum of 10 years in prison or a R10 million fine.
Does POPI add anything to my constitutional right to privacy?
Every person has a constitutional right to privacy, which has many aspects (including privacy in the home, private communications and private information about a person). POPI gives practical effect to that right insofar as it relates to personal information handled by organisations. It provides a direct mechanism through which that aspect of the right can be enforced.
What are their responsibilities?
Under POPIA and the regulations: The Information Regulator is responsible for ensuring that their organisation complies with the POPI Act. They are a key person in any project or programme.
A Responsibly Party is a public or private body or any other person which alone or in conjunction with others determines the purpose of and means for processing personal information.
An information regulator and responsible party (or body) must:
  • encourage compliance with conditions for the lawful processing of personal information,
  • deal with requests made pursuant to POPIA (presumably by the Information Regulator or Data Subjects),
  • work with the Regulator in relation to investigations conducted related to prior authorisations (pursuant to Chapter 6 in relation to the body),
  • otherwise, ensure compliance by the body with the provisions of POPIA,
  • develop, implement and monitor a compliance framework,
  • ensure that a personal information impact assessment is done to ensure that adequate measures and standards exist,
  • develop, monitor, maintain and make available a PAIA manual,
  • develop internal measures and adequate systems to process requests for access to information,
  • ensure that internal awareness sessions are conducted, and as may be prescribed.
These responsibilities are set out in section 55 of POPIA.
The third-party Operator is a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
Regardless of the fact that an operator might also be a responsible party in its own right; when instructed or contracted to deliver a processing service on behalf of the responsible party for a specific purpose they act as an operator.