BarnOwl Info Sharing Insight: The Protection of Personal Information Act (POPIA) is Here! What now? with Karus Prinsloo

September 8, 2020

BarnOwl Info Sharing session: 22 August 2020

The Protection of Personal Information Act (POPIA) is here! What now?

Presented by Karus Prinsloo, Manager: Regulatory Compliance at Inlexso (Pty) Ltd (inlexso)

Thank you very much Karus for presenting at our info-sharing event on the 27th August 2020. Thank you also to all those who attended which was over 180 attendees.
Karus shared insights with us on:
• How to make sure your organisation is ready by 30th June 2021
• Lessons learned whilst assisting organisations from various sectors and industries
• Risks & opportunities


The commencement date of almost all of POPIA’s requirements, is 1 July 2020 with organisations having one (1) year to comply. A year is a very short timeframe in which to comply! Furthermore, the penalties for non-compliance are significant.

Some background:


  • Was signed into law in 2013 and has been phased into operation.
  • Purpose is to promote the protection of personal information of ‘data subjects’ (natural persons or legal entities).
  • Is based on the constitutional right to privacy and international best practice.
  • Contains definitions to take into account for how the Act works and some definitions are included below for ease of reference.

What is personal information


What is processing:


Who / what is a responsible party, data subject, operator and information officer?


The 8 conditions for processing personal information (PI)


Processing limitations – special conditions


Practical implications and consequences of non-compliance


POPIA is here – what now?

Assess the impact of POPIA’s requirements on your organisation. It will be necessary to change certain business processes, policies and documentation, as well as to align IT systems with POPIA’s requirements. Below are 10 focus points to consider whilst preparing for POPIA’s requirements with commencement date 1 July 2020 and which must be adhered to by 30 June 2021:

  1. Have a plan

A phased approach is important! Identify POPIA’s impact on your organisation, who is responsible for what and by when, to ensure compliance with POPIA.

  1. Two sides of a coin

Relook the organisation’s compliance with the Promotion of Access to Information Act (“PAIA”), while working on POPIA readiness.

  1. Compliance is everybody’s business

Who in the organisation should take the lead with regard to ensuring readiness? Allocate responsibility to a line function or individual who can co-ordinate the organisation’s POPIA readiness drive.

  1. Who is who

POPIA provides for roles of “data subject”, “responsible party” and “operator”. Identify these role players for all instances of processing of personal information.

  1. POPIA is about more than the 8 conditions for processing

Identify the circumstances when “special personal information”, as defined by POPIA, is processed. Ensure that such processing comply with the requirements relating to special personal information.
Address the requirements relating to direct marketing, trans-border information flows and automated processing of information.

  1. Keep it simple: policies and contracts

Prior to developing POPIA specific policies and contracts, ascertain what is currently in place. Obtain advice about the adequacy of POPIA provisions in policies and agreements, prior to developing a “POPIA policy”. It is quite often not required to amend existing contracts.

  1. Hardcopy documents… or just electronic?

Processing of personal information is not only about electronic processing. Remember to include the processing of personal information from physical documents in the scope of readiness assessments.

  1. De-identify to the extent that it cannot be re-identified again… and the other exclusions

Take the circumstances when POPIA is not applicable into account.

  1. The carrot and the stick

Intentionally identify and pursue opportunities which POPIA opens for your organisation. Opportunity could knock in terms of new products and services, or by positioning the organisation as a responsible corporate citizen.

  1. And then… other:

Establish under which circumstances consent should be obtained. Identify quick wins. Chances are that the organisation has an asset register for the physical assets it holds; consider developing an information asset register (with fields such as who uses information for what, and the like). These factors will be explored further in future articles.
Contact  for assistance with regard to your POPIA requirements.

Presentation and Video links:

Please see attached presentation here and video link here
You can find more information about inlexso at or contact Karus at

Useful and associated links:
IT Web: More POPI act sections come into force
IT Web: Data from Experian breach dumped on the Internet
IT Web: Lombard Insurance engages SA authorities after data breach
IT Web: Life Healthcare reveals damage caused by data breach
IT Web: Stefanutti Stocks shuts down IT systems after cyber attack and

Thank you:

Once again thank you Karus for your time and for your informative presentation and thank you to all those who attended our info sharing session. We look forward to seeing you at our next info sharing session. Please keep a look out for our upcoming events at:
Kind regards
Jonathan Crisp
Director – BarnOwl GRC and Audit software

About Karus Prinsloo:

Karus Prinsloo

Karus is passionate about providing practical compliance solutions. He has more than 10 years’ experience as consultant and in-house advisor in the legal and compliance environment, advising clients in industries such as logistics, mining, manufacturing, aviation, construction, financial services, banking, agriculture and property.
His experience includes approximately 5 years as advisor and trainer in respect of the Protection of Personal Information Act (POPIA). He has assisted clients with POPIA readiness in industries such as retail, manufacturing, construction, aviation and tertiary education. POPIA training experience includes presenting on POPIA since 2014 and since 2017 on behalf of Enterprises University of Pretoria (Pty) Ltd.
Before joining inlexso (named EOH Legal Services at that stage) in 2015, Karus was a director of iThemba Legal & Compliance (Pty) Ltd, specialising in legal compliance and commercial law.
Karus has practiced as attorney and served as in-house compliance advisor, compliance consultant, company secretary and corporate legal advisor. Karus was admitted as an attorney in 2003.

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.
Please see  for more information.