The Protection of Personal Information (POPI or POPIA) Act also known as South Africa’s GDPR puts South Africa’s data regulation standards on par with existing data protection laws around the world.
This Act came into effect on 1 July 2020, there was a one-year period (ending on 30 June 2021). Failure to comply can lead to 10 million rands in fines.
As a constitutional right, the right to privacy should already enjoy respect and protection, regardless of the promulgation of POPIA. Therefore, processing personal information in a manner prescribed in the conditions for lawful processing of information (chapter 4 of the POPIA Guidelines) will go a long way in giving effect the right to privacy.
What is POPI Act in South Africa
Popi is the Protection of Personal Information Act 4 of 2013 (POPIA). This Act applies to every organisation in South Africa as all companies collect personal information from their customers, employees, and suppliers.
It creates new rules for the way in which personal information is collected, what it may be used for, when it may be shared, how securely it must be stored, what the rights are of the person whose information it is, and what organisations must do in the event of a breach.
Every South African company needs to be compliant!
How do you become a POPI Compliant?
- Organisations must ensure that employees receive POPIA training according to the POPIA Regulations.
- Your organisation must document what personal data the organisation holds, where it came from, and who they share it with.
- Your organisation must include a POPI Privacy Notice on their website.
- Your organisation must explain to people how they can access, change or correct, and delete their personal information unless an exception applies.
- POPIA consent is defined as ‘any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information
- Organizations cannot collect or process the personal information of children (under the age of 18), this requires parental or guardian consent.
- Companies must monitor breaches and response policies and procedures
- Every company must employ a Deputy Information Officer for POPI.
POPI Act Compliance Checklist
Heres everything you need to know:
1. Assess Personal Infonation
Your business needs to assess what information it collects (whether from employees, customers, services providers or other third parties such as credit bureaus) and review whether that information is actually necessary for the purposes for which it was collected.
2.Use of Information
Under POPI, a business cannot keep a record of personal information once the reason for which it was collected no longer exists unless required by law.
If you applied for a store card or signed up for a newsletter 2 years ago, companies will need to take steps to destroy your information after a set period.
This includes electronic and hard copies- for example, your passport or ID that they scan at hotels.
3. Information Security
Your business needs to prevent loss, theft, or damage of personal information. Storing emails on Excel is not enough anymore, POPIA does not prohibit you from using non-localised storage of data, such as cloud services.
If you opt for non-localised storage of data, your business is responsible for the protection of the personal information of data subjects. Therefore, it’s recommended that you enter into an agreement with a cloud-based service provider, the agreement would need to address the security measures they would take to protect the personal information. The cloud service provider must also comply with the requirements of POPIA for lawful processing of personal information, as prescribed in conditions 1 to 8, of Chapter 3 of POPIA.
Some of the best cloud storage service providers include Hubspot, iDrive, Mailchimp or Dropbox.
4. Consent is Key
Your business cannot call people using a spam robot voice or send out newsletters, marketing emails or text messages unless someone asks you to.
Telemarkets will continue to contact you as telephone calls don’t fall under electronic communication, but an actual human phoning you up to sell you something is still allowed.
Difference between POPI and GDPR
There are several differences between GDPR and POPI, in fact, PoPI can be seen as a stepping stone to GDPR compliance.
|POPI (SOUTH AFRICA)||GDPR (EUROPE)|
|When was it created||South Africa's Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA') was promulgated into law on 26 November 2013.||The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') came into effect on 25 May 2018, and governs the protection of personal data in EU and EEA Member States.|
|Protect Personal Data of||Naturals and Juristic (Companies and Trusts)||Naturals only (living)|
|Roles||Must appoint Deputy Information Officer, regardless of any factors.||Must appoint Data Protection Officer based on various factors such as size, type or processing ability.|
|Penalities||10 years in prison or up to R10 Million in fines.||EUR 20 Million in fines / up to 4% global turnover.|
|Data Breach Notifications||As soon as possible||Within 72 hours of knowledge|
How to Make Your Website POPI Act Compliant
Like GDPR, every business that has a website will now need to include a privacy notice indicating what you do with customer information, how you process it, and how long you keep it for.
POPI Act privacy notice template
- What data do we collect?
- How do we collect your data?
- How will we use your data?
- How do we store your data?
- What are your data protection rights?
- Privacy policies of other websites
- How to contact us
- How to contact the appropriate authorities
What data do we collect?
Our Company collects the following data:
- Personal identification information (Name, email address, phone number, etc.)
- [Add any other data your company collects]
How do we collect your data?
You directly provide Our Company with most of the data we collect. We collect data and process data when you:
- Register online or place an order for any of our products or services.
- Voluntarily complete a customer survey or provide feedback on any of our message boards or via email.
- Use or view our website via your browser’s cookies.
- [Add any other ways your company collects data]
Our Company may also receive your data indirectly from the following sources:
- [Add any indirect source of data your company has]
How will we use your data?
Our Company collects your data so that we can:
- Process your order and manage your account.
- Email you with special offers on other products and services we think you might like.
- [Add how else your company uses data]
If you agree, Our Company will share your data with our partner companies so that they may offer you their products and services.
- [List organizations that will receive data]
When Our Company processes your order, it may send your data to, and also use the resulting information from, credit reference agencies to prevent fraudulent purchases.
How do we store your data?
Our Company securely stores your data at [enter the location and describe security precautions taken].
Our Company will keep your [enter type of data] for [enter time period]. Once this time period has expired, we will delete your data by [enter how you delete users’ data].
Our Company would like to send you information about products and services of ours that we think you might like, as well as those of our partner companies.
- [List organizations that will receive data]
If you have agreed to receive marketing, you may always opt-out at a later date.
You have the right at any time to stop Our Company from contacting you for marketing purposes or giving your data to other members of the Our Company Group.
If you no longer wish to be contacted for marketing purposes, please click here.
What are your data protection rights?
Our Company would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
The right to access – You have the right to request Our Company for copies of your personal data. We may charge you a small fee for this service.
The right to rectification – You have the right to request that Our Company correct any information you believe is inaccurate. You also have the right to request Our Company to complete the information you believe is incomplete.
The right to erasure – You have the right to request that Our Company erase your personal data, under certain conditions.
The right to restrict processing – You have the right to request that Our Company restrict the processing of your personal data, under certain conditions.
The right to object to processing – You have the right to object to Our Company’s processing of your personal data, under certain conditions.
The right to data portability – You have the right to request that Our Company transfer the data that we have collected to another organization, or directly to you, under certain conditions.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at our email:
- Call us at:
- Or write to us:
Privacy policies of other websites
How to contact us
- Email us at:
- Call us:
- Or write to us at:
How to contact the appropriate authority
Should you wish to report a complaint or if you feel that Our Company has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.
Book a Website Audit
Not sure if you are on the right track to grow your website? Reach out to Lerato B Group for a website audit – an in-depth analysis of your website, from design, heading tags, metadata and content, internal and external linking, and site speed, among many other factors influencing your site’s performance.