What is POPIA?


POPIA is The Protection of Personal Information Act. It was promulgated four years ago in November 2013 in a bid to stop identity scams and stealing from personal bank and other accounts. The main aim is to defend every South African’s right to privacy.

POPIA, therefore, is a law that protects a person’s private information (or data). It also describes when it is legal for a negotiator, or arbitrator, to have access to that information or data.

When someone contravenes this Act, they are fined. This is in accordance with the Information Regulator who was assigned in October 2016 to inspect cases where individuals have indeed stolen personal identities and committed bank account robbery.

If a company is found guilty of breaching the POPIA, they will suffer noteworthy setbacks both in terms of finances and legalities. Additional consequences include sweeping penalties where reputations are lost and customers and employees leave the company.

Background to POPIA

When South Africa was declared a democracy in 1994, the Bill of Rights was developed to protect the rights of every South African. We have one of the best Constitutions in the world and according to section 14, everyone has a fundamental right to privacy. But in terms of common law, this can only happen when looked at in terms of the rights of others and the public interest.

As a result, the South African Law Reform Commission had to create more legislation to ensure better individual privacy and the Protection of Personal Information Act – POPIA – was born. This new legislation follows on what is happening in Europe according to the European Union Data Privacy Directive and the OECD (Organisation for Economic Co-operation and Development) Guidelines.

The purpose of POPIA is:

  • To give effect to the constitutional right to privacy by safeguarding personal information when processed by a responsible party.
  • To regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards that prescribe the minimum threshold requirements for the lawful processing of personal information.
  • To provide persons with rights and remedies to protect their personal information from processing that is not in accordance with the Act; and
  • To establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by the Act.


Some FAQ we would like to highlight:

  • Who must obey the POPIA? Any business or any individual who deals with personal information must obey this Act. The POPIA also ensures that other parties comply and these include government departments, financial institutions, learning institutes, medical providers, companies – and all people who are so-called experts and whose job it is to deal with or hold the personal and private data of individuals or other corporations.
  • Who should be trained in the POPIA? Everyone involved in dealing with private individuals and their personal information should go for training. This means all levels of a company or business, from the bottom up. The CEO should go, compliance officers, information officers, human resources staff, managers, supervisors and employees should go. This will ensure that everyone is on the same page regarding knowledge about the POPIA and how it should be obeyed.