The PoPI is on the horizon, are you compliant?

Posted by:

by Themba Mahleka

In November 2013, the Government Gazette issued a notice that South Africa President Jacob Zuma assented to Act No. 4 of 2013: Protection of Personal Information Act, 2013 (PoPI). The PoPI will regulate the processing of the personal information of a data subject by a responsible party. This will be achieved by introducing conditions that will establish the minimum requirements for processing personal information. These minimum requirements will be monitored by an information regulator to be the custodian of the Act. The establishment of this office is a process which is also already underway, with interviews having taken place on May 10, 2016.


The PoPI is forecasted to have an impact on a wide variety of sectors in South Africa, including finance, insurance, pharmaceuticals, direct marketing and retail. These are just some of the sectors that will need to make adjustments in order to be PoPI compliant.

In fact, the PoPI applies to the processing of personal information of a data subject data subject by, or for a responsible party. Unlike BEE regulations for example, the PoPI does not distinguish between the size of the entity, sector or number of employees in defining a responsible party. This means that every entity, from SMEs to listed companies, processing personal information will need to be PoPI compliant.

Any person convicted of an offence in terms of the PoPI may be liable to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment. The amount of the fine may be up to an amount of R10 million. It is therefore of the paramount importance for each entity to understand what the PoPI is, and whether or not they are compliant.


The PoPI is designed to protect important interests, including the free flow of information

within the Republic of South Africa. The PoPI will also regulate transborder information flows by precluding a responsible party in the Republic of South Africa from transferring personal information of a data subject to a third party who is in a foreign country unless certain requirements are met.

While the PoPI was signed into law in November 2013, it is yet to commence and we are awaiting a commencement date for the act, after which, a compliance grace period of 1 year will exist, which may be extended to a maximum of 3 years. However it seems as though the commencement date may be on the horizon if certain indicators, such as the interviewing of potential candidates for the post of information regulator in May 2016, are to be considered.


The Constitution stipulates that, “This Bill of Rights is a cornerstone of democracy in South Africa. It enshrines the rights of all people in our country and affirms the democratic values of human dignity, equality and freedom”.

The intention of the PoPI is to safeguard the Right to Privacy as enshrined in the Bill of Rights, s. 14 of the Constitution including, “protection against the unlawful collection, retention, dissemination and use of personal information”. It is a recognition by the State of its obligation to respect, protect, promote and fulfil the rights in the Bill of Rights.

Another reason for the promulgation of the PoPI is in keeping with global trends and developments on the subject matter. European Union laws such as the European Union Data Protection Directives of 1995, the Official Journal of the European Committees and the Official Journal of the European Union have been highly influential on the drafters of the PoPI.


It is becoming increasingly challenging to keep up with the plethora of legislation that affects those in business today. Legal compliance is a full time job but many entities lack the internal capacity or budget to adequately address compliance issues leaving them exposed. Imani is cognisant of this fact and our professionals are ready to alleviate this burden in order to allow our clients the freedom to focus on their core business. The best part about Imani is that you get the professionalism, skills and experience of a big law firm without the corresponding, ever increasing legal bills.

In terms of the PoPI, Imani will offer the following services;

  • ASSESSMENT of if, or where the gaps lie in terms of PoPI compliance within a particular entity.
  • ADVICE on the steps to take with regards to becoming and continuing to be compliant.
  • TRAINING of staff on what the PoPI is, why it is important to comply to it and how to ensure compliance.




  • collection,
  • receipt,
  • recording,
  • organisation,
  • collation,
  • storage,
  • updating,
  • modification,
  • retrieval,
  • alteration,
  • consultation or,
  • use of personal information.


Includes information relating to the;

  • race,
  • gender,
  • sex,
  • pregnancy,
  • marital status,
  • national, ethnic or social origin,
  • colour,
  • sexual orientation,
  • age,
  • physical or mental health,
  • well-being,
  • disability,
  • religion,
  • conscience,
  • belief,
  • culture,
  • language,
  • birth of the person,
  • education or the medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;


The person to whom personal information relates;


A public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;


A juristic person which has jurisdiction throughout the Republic of South Africa to exercise powers and perform its functions to ensure compliance and adherence in accordance with the PoPI and the Promotion of Access to Information Act.

Themba Mahleka is a panelist on Imani Africa Lawyers on Demand, he specialises in corporate governance, commercial law and is available to assist you with any questions regarding PoPI.

  Related Posts
  • No related posts found.