The Protection of Personal Information Act (“POPIA”): Are You Ready?

March 8, 2018

1.Why POPIA?

The Protection of Personal Information Act (“POPIA”):

  • gives effect to the constitutional right to privacy, enshrined in South Africa’s Constitution. (The right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information).
  • is based on international best practice and is a reflection of the best features of international privacy legislation. It follows King IV’s principles and accommodates international standards.

Protecting personal information is not only a statutory duty but also represents sound business practices.


2.1 During April 2014, sections of POPIA dealing with the aspects listed below, came into force:

  • providing the definitions of certain terms that are used in the Act;
  • dealing with the appointment of the administrative body (“the Information Regulator”) which oversees the operation of the Act; and
  • empowering the Minister and the Information Regulator to make regulations regarding the implementation of the Act.

2.2 The Information Regulator (“IR”) was established at the end of 2016 and is empowered to monitor and enforce compliance in line with the provisions of the Promotion of Access to Information Act, 2000 (“PAIA”) and POPIA. (Refer to the Information Regulator’s website: for more information in this regard).
2.3 The IR has published draft POPIA regulations in September 2017, for public comment by 7 November 2017. Amongst others, the draft regulations covered the following aspects:

  • Manner of lodging an objection to processing of personal information;
  • Requests for correction, deletion or discarding of personal information
  • Duties and responsibilities of Information Officers;
  • Application to issue a Code of Conduct;
  • Request for data subject’s consent for processing of personal information for the purpose of direct marketing by means of unsolicited electronic communications
  • Submission of complaint or grievance; and
  • Regulator acting as conciliator during an investigation.

2.4 In November 2018, the IR indicated that the anticipated publication date of the final regulations is April 2018.
The IR also indicated that it endeavours to be fully operationalised in 2018 and that the remaining sections of the Act will commence once the Regulator is fully operational.

3. Effective date

Once the Act comes into full force, business practices must be brought in line with the new requirements within 12 months (with the information Regulator having an option to extend this period for another two years). Based on international benchmarking, it takes up to three years to be compliant with the requirements of similar privacy legislation in other countries.

4. Areas of business impacted by POPIA

The biggest impact on business will generally be in the following areas:

  • Customer interaction;
  • Human Resources (processing of employee information);
  • Marketing and advertising
  • Procurement (processing of supplier information)
  • Information Management (the classification, retention and security of information);
  • Finance: debtors and creditors information; and
  • Cross-border transfers of Personal Information.

It is also imperative that organisations ensure compliance with PAIA and it is recommended that PAIA compliance be included in the scope of POPIA readiness exercises.

5. Potential risks to business

Non-compliance poses a huge reputational risk, financial risk (administrative fines of up to R10 million) and operational risk (such as spending operational time to re-actively align business processes, documents and systems with the legal requirements).

6. What should we be doing now?

If not done already…

  • Awareness training
  • Assess impact of POPIA on your organisation
  • Identify readiness milestones, allocate timelines and responsibilities
  • Ensure that the role of Information Officer in terms of PAIA and POPIA is designated and that the individual is aware of his / her duties and responsibilities
  • Amend business processes, documentation and align IT systems

Written by Karus Prinsloo
EOH Legal Services

EOH Legal Services can help

EOH Legal Services have been assisting clients in industries such as retail, manufacturing, tertiary education, aviation, mining and financial services with POPIA services (including conducting readiness overviews and preparing POPIA Roadmaps, awareness training, legal opinions and consulting services).
Please refer to for more information about our value-adding compliance service offerings and contact Karus Prinsloo on 087 405 1827 or for more information in this regard.

The BarnOwl Compliance module is fully integrated with the EOH Legal Services content

The BarnOwl compliance module enables an organisation to manage its regulatory universe by rating and monitoring compliance to the acts, regulations and provisions at every level of the organisation, where applicable. BarnOwl offers a pre-built compliance framework based on best practice compliance management processes as set out in the SA compliance institutes handbook (Generally Accepted Compliance Practice Framework (GACP)):

  • Phase I – Compliance Risk Identification
  • Phase II – Compliance Risk Assessment
  • Phase III – Compliance Risk Management (Control optimisation)
  • Phase IV – Compliance Risk Monitoring

Compliance legislation from EOH Legal Services can be imported directly into BarnOwl. Updates to the regulations and provisions can be uploaded into BarnOwl automatically. Please see for more information on the BarnOwl compliance module

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Australasia, Europe and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.

Please see for more information.