Last updated on 08 March 2022 by Robert Bateman (Privacy and Data Protection Research Writer at TermsFeed)
South Africa's Protection of Personal Information (POPI) Act sets the standards for data protection and privacy in South Africa.
The POPI Act represents a comprehensive and progressive data protection framework that brought significant changes to the state of consumer privacy in South Africa. Some parts of the Act are reminiscent of laws that have passed in the EU and California in recent years.
Let's take a look at what the POPI Act requires, and how your business can comply.
The POPI Act is a comprehensive data protection law that regulates the processing of personal information in South Africa. It's designed to protect people from data breaches and cybercrime, and to prevent intrusive marketing practices.
The right to privacy has long been recognized under Article 14 of the South African Constitution. The POPI Act will put some meat on the bones of this fundamental principle by providing clear rules and a means of enforcement.
The POPI Act became law on November 19, 2013 but didn't go into effect until July 1, 2020.
The POPI Act is very broad in scope and applies to just about every business and public body operating in South Africa. And to be clear, this includes foreign companies that are not based in the country.
According to Section 3.1, the POPI Act applies to any "responsible party" that is
This means that non-South African companies will need to comply with the POPI Act if they have customers (or prospective customers) in South Africa.
The POPI Act is a fairly comprehensive law and is often compared to the EU General Data Protection Regulation (GDPR).
Like many modern data protection laws, the POPI Act shares certain terminology and concepts with EU laws.
You'll be at an advantage if you're already familiar or compliant with the GDPR or its predecessor, the Data Protection Directive.
Before we get into the practical steps you can take to comply with the POPI Act, you'll need a basic understanding of that Act's purpose and terminology.
The POPI Act lists several objectives, including:
The POPI Act defines personal information by providing a non-exhaustive list of examples, including:
Processing means, in effect, doing something with the data. Again, the POPI Act defines this similarly to the GDPR (see our article What Activities Count as Processing Under the GDPR?).
Examples of activities that constitute the processing of personal data include:
Responsible parties are the main subject of the POPI Act. Responsible parties determine the purposes and means of the processing of personal information. Under the GDPR, responsible parties are known as data controllers.
Your business can act as a responsible party in a number of scenarios, for example when it:
A responsible party decides how and why to process personal information.
The POPI Act provides eight conditions for lawful processing. Think of these as legally-binding principles that must underpin all processing of personal information within your company.
The conditions for lawful processing can be summarized as follows:
The POPI Act provides new powers to penalize people and businesses who fail to comply with the Act. Such penalties vary in severity depending on the nature and seriousness of the offence.
Penalties for violating the POPI Act include:
Here are some practical steps all companies operating in South Africa can take toward compliance.
Your company probably handles a lot of personal information.
These are just a few examples. Think carefully about personal information flows within your company.
You can't comply with the rules in the POPI Act unless you know what personal information is in your control.
All organizations, public or private, are required to designate an Information Officer under the POPIA.
This role is comparable to that of a Data Protection Officer under the GDPR. However, whereas a Data Protection Officer is not always required under EU law, the requirement to appoint an Information Officer falls on all South African companies.
The Information Officer can be anyone within your company, but their appointment must be approved by the head of your company.
An Information Officer's duties include:
The POPI Act provides new rights for data subjects. A data subject is a person whose personal information has been processed. To put this in context, if you hold someone's personal data on file, that person is a data subject, and you must respect their data subject rights.
The POPI Act provides three data subject rights: access, correction, and deletion. These rights are only available under limited circumstances.
It's important that staff in your company know how to recognize such a request. You should provide a means of making such a request, for example your Information Officer's email address or a secure web form.
If a data subject requests access to their personal information, you must provide them with a copy of any personal information you hold on them. You must also let them know which third parties have had access to their personal information (if any).
You must supply this information:
You may charge a fee for this service. The data subject must provide proof of their identity.
The rights of correction and deletion apply only to personal information that is:
If you hold such personal information regarding a data subject then you must correct or delete it on request.
One of the most important aspects of data protection law is the requirement to store and transfer personal information in a secure way.
You can think of your security responsibilities under the POPI Act as a three-part process:
Section 19.2 (a) of the POPI Act requires the responsible party to "identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control."
Consider the following questions in relation to each set of personal information in your possession:
There are many ways to secure personal information in transit and storage. At the broadest level, these consist of:
Section 22.1 of the POPI Act imposes an obligation on responsible parties to notify the Information Regulator of data breaches "as soon as reasonably possible." Under certain conditions, you must also notify the individuals who have been affected by the breach.
To ensure you can mitigate the damage caused by a data breach, you should consider creating a Data Breach Policy. This will enable all staff to quickly and effectively identify and respond if the worst happens.
The POPI Act builds upon existing direct marketing rules under South African legislation such as the Consumer Protection Act (CPA) privacy law.
Chapter 8 of the POPI Act sets out the conditions under which you may send a person marketing communications. The recipient of marketing communications must either:
In either case, there must be a clear way to withdraw from receiving marketing communications. This could be, for example, an unsubscribe link in an email.
The POPI Act defines consent as a "voluntary, specific and informed expression of will."
Let's break that down:
This is very similar to the model of consent under the GDPR.
You don't need consent to send direct marketing to your existing customers, so long as:
The POPI Act is a big step forward for privacy in South Africa. It brings the country closer to the data protection standards of other large economies, such as those in the EU.
Whilst compliance with the Act may seem daunting, it's important that your business takes the necessary steps to avoid legal issues.
Some first steps toward compliance with the POPI Act include: