The Protection of Personal Information Act: here is what you need to know

THE right to privacy is constitutionally entrenched in the South African Bill of Rights. In this regard, section 14 of the Constitution of the Republic of South Africa Act, No. 108 of 1996 provides as follows:

‘Everyone has the right to privacy, which includes the right not to have: their property searched; their possessions searched; the privacy of their communications infringed. ’The Protection of Personal Information Act (Popia) aims to give effect to this constitutional right to privacy, while seeking to balance this right against competing rights, such as the right of access to information.

When does the Protection of Personal Information Act become effective?

It has been 10 years since discussions around the Popia started. With an effective date of July 1, 2021, this means we have until June 30, 2021, to become compliant.

Who must comply with the Protection of Personal Information Act?

The act applies to any person or organisation who processes or retains any types of records relating to the personal information of individuals or juristic persons. This means that private and public sector organisations need to process personal information in a safe and lawful manner, thereby ensuring that individuals are protected from data breaches and information theft. What is regarded as personal information?

Personal information includes a broad range of information, or an opinion, that could identify an individual.

For example, personal information may include an individual’s name, signature, address, phone number or date of birth.

How does an organisation comply?

Appoint your team: determine if it will be necessary to appoint a dedicated Popia compliance officer or a full team, depending on the size, scope and function of your organisation.

Assign responsibilities: determine who will be responsible for the processing, storing, managing and destruction of personal information that the organisation holds.

Upskill personnel: familiarise yourself with what information is governed by the Popia and what exemptions exist. Ensure that identified personnel are properly trained and that your IT service provider is compliant.

The Popia top five things to do as a minimum

  1. Incident response: get an incident response team in place. Have an understanding on what your plan is when an incident or data breach occurs.
  2. Implement a data protection impact assessment: implement assessments to prevent introducing new Popia risks into your organisation.
  3. Access control: not everyone should have access.
  4. Review your forms: consider what information you are asking for, and be transparent about what the information is being used for.
  5. Have a plan for the rest: Popia regulations require that information officers develop, implement, monitor and maintain a compliance framework.

Who is exempt from Popia?

Popia provides a few exemptions. If the following applies to your organisation, you do not need to comply with Popia:

  • Do you process personal information that is not entered into a record?
  • Do you process personal information in the course of purely household activities?
  • Is the information processed de-identified so that it can no longer be defined as personal information?
  • Are you a public body that protects national security? Or that prosecutes offenders?
  • Are you in cabinet (and its committees) or on the executive council of a province?
  • Are you a court referred to in section 166 of the Constitution and process personal information only as part of your judicial functions?
  • Do you process for purely journalistic, artistic or literary purposes?

If you require any information or assistance with becoming compliant, please contact any one of our Nexia SAB&T branches nationally.

Please note that the above is for information purposes only and does not constitute tax advice. As each individual’s personal circumstances vary, we recommend they seek advice on the matter. Please note that while every effort is made to ensure accuracy, Nexia SAB&T does not accept responsibility for any inaccuracies or errors contained herein. If you are in doubt about any information in this article or require any advice on the topical matter, please do not hesitate to contact any Nexia SAB&T office nationally.

Article prepared by: Aysha Osman

For any queries, please contact:

  • Hassen Kajie (Entrepreneurial Business Services Director)
    M: (+27) 82 333 3389 | E:
  • Yousuf Hassen (Entrepreneurial Business Services Director)
    M: (+27) 82 333 3376 | E: