Rushda Ebrahim Khan & Fameeda Suleman | Compliance Division


2021 marks a historic achievement for data privacy in South Africa.



The Protection of Personal Information Act more commonly referred to as POPIA was signed into law by the President in November 2013 and after seven long years it was officially enforced on 1 July 2020, with a 12-month grace period. This important piece of legislation gives effect to the constitutional right to privacy and regulates the processing of personal information.  All private and public bodies who process personal information will have to be compliant with POPIA on 1 July 2021. 

A data subject is any person to whom the personal information relates (including juristic persons, such as companies).  Essentially, the purpose of POPIA is to protect the personal information of all data subjects and to ensure that both individuals and juristic persons know exactly what their personal information is being used for and how it is being processed by organisations. 

What is personal information?

Personal information is any information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person. It includes data such as race, gender, age, employment history, contact details, identity number and so forth.

How does this Act affect you as a data subject?

This Act creates many obligations on an organisation that processes your personal information, including a duty to ensure that they protect your information, that they only use it for the specific purpose that you provided it for and that they do not disclose it to anyone that does not have a legal right to obtain your information. In essence, the Act imposes a duty on an organisation to act more responsibly with your personal information.

What are your obligations as a processor of the personal information?

The word ‘processing’ is defined in the Act as a wide range of various activities including but not limited to, the collection, receipt, recording, storage, updating, merging, use or destruction of the personal information.  Therefore, if you do any of these activities with personal information, the Act imposes certain obligations on you. 

Some of these obligations include the following:

  • You should collect only the information that you require - the bare minimum;
  • Obtain consent of the data subject, where necessary, unless other requirements set out in the Act are satisfied;
  • You should only collect personal information for a specific, lawful purpose;
  • Ensure that the personal information is kept relevant and accurate;
  • Have reasonable security measures in place to protect the personal information;
  • Only keep the personal information for as long as it is required in order to achieve the purpose for which it was collected.  Thereafter the personal information must be destroyed or de-identified; and 
  • Allow the data subject to obtain or view his or her personal information on request as well as correct their personal information.  A data subject may also request that their personal information be deleted in particular circumstances.

The Act is centred around eight conditions for processing personal information and all organisations that process personal information will need to comply with the following conditions:-

  • Accountability;
  • Processing limitation;
  • Purpose specification;
  • Further processing limitation;
  • Information quality;
  • Openness;
  • Security safeguards;
  • Data subject participation.

What are the consequences if you do not comply with POPIA?

The Act has stringent requirements that must be complied with. From the 1st July 2021, any entity or individual that processes personal information in non-compliance with the Act could find themselves on the wrong side of the Information Regulator.  

Depending on the nature of the non-compliance, in certain instances, the organisation may receive an Enforcement Notice to comply with the Act.  However, where organisations are found guilty of particular offences, it could lead to imprisonment of up to 10 years and in other instances, an administrative fine may be imposed of up to R10 million.  The data subject may also pursue civil action for damages against the organisation.   Another important consequence to remember is the negative publicity that will result in reputational damage to the organisation.

Who do you lodge a complaint with if an organisation misuses your personal information?

The Information Regulator has been created in order to enforce the Act and deal with complaints related to the misuse of personal information. The Regulator has reiterated it’s commitment to resolve any data breach and has been actively getting involved in potential data breaches already. For more information, you can visit the Regulator’s website at


With the deadline of 1 July 2021 fast approaching, many organisations are currently busy with the critical task to ensure compliance with POPIA.  It is a huge step in data protection for South Africa and this Act helps align South Africa with the European Union standards for data protection (General Data Protection Regulation).  With the various recent data breaches that have occurred, many South Africans can breathe a sigh of relief as we embark on a new era of data protection.