Protection of Personal Information Act
POPIA is South Africa's data protection law, built on eight conditions for lawful processing and enforced by the Information Regulator. It protects personal information of natural and certain juristic persons and requires breach notification and information officers.
The Protection of Personal Information Act (POPIA) is South Africa's comprehensive data protection law. It was signed in 2013, but its substantive provisions began on July 1, 2020, with a one-year grace period, making compliance mandatory from July 1, 2021. POPIA gives effect to the constitutional right to privacy and regulates how public and private bodies process personal information. It is overseen by the Information Regulator of South Africa.
POPIA is built around eight conditions for the lawful processing of personal information. These conditions function much like the principles in the GDPR and other modern privacy laws.
Who It Applies To
POPIA applies to a responsible party (the equivalent of a controller) that is domiciled in South Africa, or that is not domiciled there but uses automated or non-automated means in South Africa, unless those means are only used to forward information through the country. It covers processing of personal information of both natural persons and, uniquely, certain juristic persons such as companies. Some exclusions apply, including purely household activity and certain journalistic, judicial, and national security functions.
Key Requirements
The eight conditions are accountability; processing limitation; purpose specification; further processing limitation; information quality; openness; security safeguards; and data subject participation. Processing must be lawful and minimal, tied to a specific purpose, and accurate. Special personal information, such as health, religion, race, or biometric data, and children's data have extra protections. Data subjects have rights to access, correction, and deletion, and to object to processing. Responsible parties must secure information, notify the Information Regulator and affected data subjects of security compromises, and register information officers. Cross-border transfers are restricted unless the recipient is subject to comparable protection or another condition is met.
Penalties for Non-Compliance
The Information Regulator can issue enforcement notices. Failure to comply can lead to administrative fines of up to ZAR 10 million, and certain offences can carry imprisonment of up to ten years. Data subjects can also institute civil claims for damages.
How to Comply
Register your information officer with the Information Regulator and assign responsibilities. Map your processing against the eight conditions and document a lawful basis and purpose for each activity. Apply extra protections to special personal information and children's data. Implement security safeguards and a breach notification process. Honor data subject rights to access, correction, and objection. Review cross-border transfers to ensure comparable protection or another lawful condition applies.