2024 Mid-Year Intake. Applications for mid-year intake are now open. Apply Now!.

PoPIA – How does it affect your business?


PoPIA Image - IMM Blog Image

The Protection of Personal Information Act (often called the PoPI Act or PoPIA) is South Africa’s data protection law. The purpose of PoPIA is to protect people from harm by protecting their personal information.

PoPIA requires extra vigilance in all aspects of physical and information security. The basis of the PoPIA is to protect personal information and prevent information from being exposed to unauthorised persons. As a result, this implies an obligation to protect information relating to natural and juristic persons from any damage, including financial fraud, identity theft, misuse, and the abuse of personal information.

PoPIA is broader in scope than similar data privacy laws in the sense that it is applicable to both “juristic” and “natural persons,” meaning that data about companies and organisations is also protected.

How does PoPIA affect your business?


If you are a South African business owner and your business processes the personal information of South African consumers, you are required to comply with PoPIA. This means before you can process any of your customers’ personal information, you will need to ask for their consent.


PoPIA South Africa - IMM blog Image

Businesses now need to deal far more diligently with the information they collect. They can only collect what is necessary and are required to have a legitimate reason for collecting that information.

To be PoPIA compliant you’ll also need to ensure all the personal information you store is secure, and that your customers have the ability to access, correct or delete any of their data that you have already collected.


How can being PoPIA compliant help your business?


Being PoPIA compliant can be extremely beneficial to your business. Communicating to your customers exactly how you are PoPIA compliant can shed a positive light on your business and help you gain their trust. More and more consumers are becoming conscious of the privacy of their data, and they want to be assured that the companies they trust their data with will protect them against misuse and breaches.

Other than that, proven compliance with a state law automatically increases brand credibility. Knowing that a company adheres to local privacy laws organically improves a customer’s willingness to share their data without mistrust and increases the chances of customer retention and even referrals.

The 8 principles of PoPIA


Under the PoPIA, a responsible party processing personal information must comply with all eight principles of the act, and the measures necessary to give effect to those principles. Compliance must be achieved not only when the actual processing of information takes place, but also when determining the purpose and means of processing the personal information.

The principles are:

Accountability: This condition requires that all processing of data occurs in compliance with PoPIA. Practically, this requires that a data protection policy is established and that an internal information officer champions the aims of, and compliance with, the legislation.

Processing limitation: Personal data must be processed lawfully and in a reasonable manner that does not infringe on a data subject’s privacy. A responsible party must develop procedures and policies to ensure that personal information is processed in a “reasonable manner.”

Purpose specification: Among other things, this entails that personal information may only be collected for a lawful, specific and explicitly defined purpose related to the function or activity of the responsible party collecting the information.

Further processing limitation: Once personal information has been collected and lawful processing has occurred, a responsible party may only further process that data in limited circumstances.

Information quality: A responsible party must ensure that any personal information in its possession is complete, accurate, not misleading and updated when necessary. In maintaining information quality, the responsible party must consider the purpose for which the personal information is collected or further processed.

Openness: A responsible party must compile a manual that contains stipulated information as required by the South African Promotion of Access to Information Act, 2000, including details on the information that it holds.

Security safeguards: A responsible party must secure the integrity and confidentiality of any personal information in its possession or under its control by taking appropriate and reasonable technical and organisational measures to prevent loss, damage, unauthorised destruction of, and unlawful access to the personal information in its possession.

Data subject participation:

The data subject has the right to request confirmation of whether a responsible party holds personal information about the data subject. The data subject also has the right to request a record or description of the personal information about the data subject being held by the responsible party, as well as information concerning the identity of all third parties who have had access to the data subject’s personal information.

The data subject may request that a responsible party:

Correct or delete personal information about the data subject that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or unlawfully obtained; and delete or destroy personal information that the responsible party is no longer authorised to retain.

What are the consequences if my business fails to comply with the PoPIA?


If a responsible party causes the breach of a data subject’s personal information, negligently or otherwise – an aggrieved party may lodge a complaint with the Information Regulator. The Information Regulator does not necessarily require a court order to issue a fine for non-compliance.

The Act sets out civil remedies available to an aggrieved party which include, payment for damages as compensation for losses suffered as a result of a breach, aggravated damages; interest; and costs on a scale as determined by the court.

Where criminal charges are brought against a responsible party and such party is convicted– the penalty can be extremely harsh. A maximum period of imprisonment of 10 years, or an undisclosed maximum fine. Additionally, the Information Regulator may institute administrative fines up to an amount of R10 million.

Apart from jail time and fines as repercussions, reputation is also very important to keep in mind, because no potential customer would want to be affiliated with an organisation that does not adhere to regulations, which is also at risk of experiencing data breach due to the lack of proper cybersecurity measures as per PoPIA requirements.

PoPIA 2 - IMM blog Image


Ensure you understand the basic structure of, and the principles contained in the act with our PoPI Act online course.


This course has been designed to introduce the basic principles of PoPIA, and to outline the structure of the Act. The programme provides references to and explains the relevant Sections in the Act.

The course has been designed for managers and executives who need to understand the Act. It is also relevant for any personnel who work with the personal information of clients, employees and customers.

Ensure that you and your organisation fully understand what is expected of you to remain compliant to PoPIA by signing up for this programme today. Follow the link to learn more: https://shortcourses.imm.ac.za/online-course/protection-of-personal-information-act-popia/