Protection of Personal Information Act (POPIA) South Africa

The Protection of Personal Information Act South Africa (POPI) is South Africa’s flagship law on data protection and privacy. POPI should be viewed as the country’s version of the European Union’s (EU) GDPR laws.

Private organizations that operate within South Africa must be in compliance with this law or potentially face significant penalties.

Here’s what you need to know about the Personal Information Act South Africa.

What is the South Africa POPI Act?

So, what is POPIA, and why is it relevant to you?

For a Protection of Personal Information Act South Africa summary, you need to know that this law was signed in 2013, but the majority of the law was inactive until 2019. It’s been a long time coming, and it will essentially act as an equivalent of EU GDPR laws.

It applies multiple conditions for how businesses should process the personal data of resident South Africans. The law includes eight general conditions, as well as three additional conditions.

There are similarities to GDPR laws in that businesses responsible for data are culpable for breaches and non-compliance. It also provides South Africans with protection against unsolicited communications.

The key difference in the Protection of Personal Information Act regulations is consent. POPI compliance in South Africa does not require businesses to obtain formal consent before processing their data. It only applies to special types of data and data relating to minors.

When Does the POPI Act Go into Effect?

One of the biggest areas of confusion regarding the Protection of Personal Information Act is when it comes into effect. The original framework started to be developed back in 2005.

The POPI law was signed into law as the Personal Data Protection Act 2013 in November of that year, with aspects of the law becoming effective in April 2014. The remainder of the provisions remained inactive until 2019 due to the lack of an operational regulator.

The current POPI Act implementation date for full implementation is July 2021. However, the government has made it clear that businesses will have a 12-month grace period to become compliant.

Key Requirements in the POPIA

The Protection of Personal Information Act (POPI) places several responsibilities on businesses.

Here’s what you need to know about complying with the Protection of Personal Information Act South Africa. This is merely guidance and should not be taken as legal advice.

1. Accountability

The responsible party must ensure compliance when processing data. In other words, the data processor is solely responsible under the law.

2. Processing Limitation

Strict controls have been implemented on the lawful processing of data. Data processors must process data in such a way as to preserve the individual’s privacy.

Data may only be processed with a specific given purpose. Consent must be obtained, and that proof maintained.

Individuals may withdraw their consent at any time, and businesses must immediately stop data processing if consent is withdrawn.

3. Purpose Specification

Under POPI, you may only collect information for a specifically defined purpose. This purpose must be related to your usual activities as a business.

Once data is no longer needed for that purpose, you no longer have the right to store and maintain that data.

4. Further Processing Limitation

Businesses may only process data when it is compatible with their stated purpose. This is an extremely ambiguous provision, but you can always process data if consent is given, the law requires it, the data came from public records, or the data pertains to a national security issue.

5. Information Quality

You must take reasonable steps to guarantee the accuracy and completeness of the data you store.

6. Openness

You’re required to maintain documentation of all the activities you carry out concerning the data you process.

The individuals whose data you process must know where you collect information, the source, and why you’re collecting their data. In other words, you need a comprehensive privacy and data policy.

7. Security Safeguards

All data processors must take all reasonable steps to prevent unauthorized access, loss, and data theft. Businesses are required to perform a risk assessment test to guarantee these safeguards.

8. Data Subject Participation

This part of the law outlines the rights of individuals. To put it simply, they have a right to access their data, make corrections, and withdraw their consent at any time.

Tips for POPIA Compliance

Compliance with the Protection of Personal Information Act South Africa is relatively easy if you’re already in compliance with the GDPR.

Here are some tips for achieving compliance before the POPI Act implementation date:

  • Obtain consent when gathering data.

  • Only collect data for use in your normal activities.

  • Data can only be used when it matches the specified collection purpose.

  • Implement a minimum level of security for protecting data.

  • Anonymize personal information in non-production environments, such as dev/test, analytics, and AI/ML

  • Delete data when it’s no longer required.

  • Create a privacy policy and make it publicly available.

Final Thoughts

Data compliance doesn’t need to be difficult. It all starts with building an effective data infrastructure.

Learn more about creating a data infrastructure that unlocks the potential of your data and ensures data is in compliance with the provisions of POPIA with data masking from Delphix