Data Privacy — POPIA
The Protection of Personal Information Act 4 of 2013 (POPIA) became fully effective on 1 July 2021. It governs how organisations collect, store, use, and share personal information about individuals (data subjects). Non-compliance carries significant penalties and reputational risk.
POPIA is South Africa's equivalent of GDPR (European Union). Where a SA company also processes the personal information of EU citizens, both POPIA and GDPR may apply.
Who Must Comply
Any "responsible party" that processes personal information in South Africa — including any company, trust, partnership, or individual that collects, stores, uses, or shares personal information about employees, customers, suppliers, or any other natural person.
There is no size exemption. Even a 5-person company with a client list must comply.
The 8 Conditions for Lawful Processing
1. Accountability
The responsible party is responsible for ensuring compliance. Appoint an Information Officer (typically the CEO or a senior designee) — mandatory for all organisations. Register with the Information Regulator.
2. Processing Limitation
Personal information may only be processed:
- With the consent of the data subject, or
- Where processing is necessary for a contract, legal obligation, legitimate interest, or vital interest of the data subject
Collect only what you need. Do not collect personal information "just in case".
3. Purpose Specification
- Collect personal information only for a specific, explicitly defined, and legitimate purpose
- Inform data subjects of this purpose at collection
- Do not process information for a different purpose without fresh consent
4. Further Processing Limitation
Further processing must be compatible with the original purpose of collection. Using a customer email address collected for invoicing to send marketing is further processing — requires consent or another justification.
5. Information Quality
Take reasonably practicable steps to ensure personal information is:
- Complete
- Accurate
- Not misleading
- Updated where necessary
6. Openness (Transparency)
Notify data subjects before or at the time of collection:
- Name and contact details of the responsible party
- Purpose of collection
- Whether supply of information is voluntary or mandatory
- The consequences of not providing information
- Rights of the data subject (access, correction, objection)
- Whether information will be transferred internationally
Mechanism: Privacy Notice / Privacy Policy — must be accessible (website, at collection point).
7. Security Safeguards
Implement appropriate, reasonable, technical, and organisational measures to prevent:
- Loss, damage, or destruction of personal information
- Unlawful access or processing
Minimum measures:
- Encryption for sensitive personal information stored and in transit
- Access controls (only authorised staff access personal information)
- Secure destruction of information no longer needed
- Written agreements with "operators" (service providers who process personal information on your behalf — e.g., cloud providers, payroll bureaus, CRM vendors)
8. Data Subject Participation
Data subjects have the right to:
- Access: Request a copy of their personal information held
- Correction: Request correction of inaccurate information
- Deletion: Request deletion of information (where no longer needed for the original purpose)
- Objection: Object to processing on legitimate grounds
The responsible party must respond within 30 days of a request.
Special Categories of Personal Information
Certain categories receive heightened protection and may only be processed with explicit consent or specific legal justification:
- Race or ethnic origin
- Religious or philosophical beliefs
- Trade union membership
- Political persuasion
- Health or sex life
- Biometric information (fingerprints, facial recognition)
- Criminal behaviour
- Children's personal information
Biometric data in the workplace: Using fingerprint access systems or facial recognition for timekeeping requires explicit employee consent and must be proportionate to the purpose.
Security Compromise (Data Breach)
If personal information is compromised (lost, stolen, accessed without authorisation):
- Internal assessment: Immediately assess the nature and extent of the breach
- Notify the Information Regulator: As soon as reasonably possible after discovering the breach
- Notify affected data subjects: Where the breach is likely to affect them adversely
The Information Regulator (www.inforegulator.org.za) must be notified even where the breach is minor. Failure to notify is itself a violation.
Penalties
| Violation | Maximum Penalty |
|---|
| Non-compliance after Regulator order | R10 million fine OR 10 years imprisonment OR both |
| Unlawful processing | R10 million fine OR 10 years imprisonment OR both |
| Failure to notify of security compromise | R10 million fine OR 10 years imprisonment OR both |
The Information Regulator may also issue enforcement notices, compliance notices, and infringement notices.
POPIA Compliance Checklist
- [ ] Information Officer registered with the Information Regulator (PAIA/POPIA registration)
- [ ] Personal Information Impact Assessment (PIIA) completed — what information do you hold and why?
- [ ] Privacy Notice published (website and at all collection points)
- [ ] Consent mechanisms in place where consent is the lawful basis
- [ ] Operator agreements in place with all third-party processors (cloud providers, CRM, payroll, HR systems)
- [ ] Security measures implemented and documented
- [ ] Data breach response procedure documented and tested
- [ ] Data retention policy: how long is personal information kept and what triggers deletion?
- [ ] Employee training on POPIA obligations
- [ ] Data subject request procedure in place (respond within 30 days)