POPIng the bubble: What’s in the Act?

6th Oct 2020

On 1 July 2020, the majority of sections of the Protection of Personal Information Act (“POPI”) came into effect. These sections create obligations and impose penalties for non-compliance – ranging from fines to imprisonment. The commercial and publicity-related consequences of breach could be even more damaging, and are unquantifiable.

But fear not… there is a grace period of one year to ensure full compliance, and we are here to help you achieve just that!

The requirements of the Act are:

Condition 1 – Accountability

Ensure that all requirements are met and appropriate measures are put in place to ensure compliance.


Condition 2 – Processing limitation

Personal information must be processed lawfully and in a reasonable manner, and the information must be limited only to what is necessary to achieve the overarching purpose.


Condition 3 – Purpose specification

The purpose of the collection of information must be lawful and clearly defined.


Condition 4 – Further processing limitation

Further processing of personal information must be in accordance with the purpose of its collection.


Condition 5 – Information quality

Ensure that the personal information is complete, accurate, and not misleading.


Condition 6 – Openness

Keep record of all processing operations and keep data subjects informed of policies and procedures.


Condition 7 – Security safeguards

Secure information records with suitable software and physical security measures.


Condition 8 – Data subject participation

Data subjects have the right to request confirmation whether their personal information is being kept on record. They may also request a correction or deletion of any information which is inaccurate, excessive, misleading or unlawfully obtained.

We suggest the following preliminary steps:

  1. Appointing an Information Officer, to manage the processing of information, and to deal with complaints and enquiries.
  2. An evaluation of software and other methods used to collect and process personal information, to test the level of protection against unauthorised access.
  3. Compiling a detailed Policy Document, for distribution to all data subjects. The Policy should explain:
  • The purpose for which personal information is collected and processed
  • Procedures for obtaining consent from data subjects
  • Procedures for collecting personal information
  • The storage and protection of personal information
  • The rights of data subjects and complaints procedures