Understanding how the POPIA Act affects your business

What is POPIA?

POPIA stands for Protection of Personal Information Act. POPIA is South Africa’s Law governing data privacy and protection. It is the equivalent of the European GDPR (General Data Privacy Regulation) and California’s CCPA (California Consumer Protection Act). It sets some conditions for responsible parties to lawfully process the personal information of their consumers.

What does POPIA mean to Consumers?

Under POPIA consumers were given 8 consumer rights including:

  • The right to opt into direct marketing
  • The right to opt out of direct marketing
  • The right to access their data
  • The right to know their data
  • The right to correct data
  • The right to delete data
  • The right to object to the processing of their data
  • In the case that any of these requests are rejected, the right to appeal the rejection.

Who must comply with POPIA?

All entities need to comply with POPIA and it is not restricted to size, this includes:

  • Sole proprietors
  • Partnership companies
  • Private incorporations
  • Public bodies
  • Non-Profit organisations
  • Trade unions
  • Etc.

What does it take to comply?

Privacy policy and notice

A privacy policy is an internal document dictating how your organisation processes information and a notice of your privacy policy goes on your website for your consumers.

Privacy rights

Processes need to be put into place to respect the 8 privacy rights stated above.

Process and change management

Map the data of your organisation to understand the data you process and make changes in order to respect the privacy of your employees and consumers.

Data and Security

Putting together the necessary security measures to prove the ‘reasonable security’ the act requires exists.

The History of POPIA

POPIA, Act 4 of 2013 was signed into law in November of 2013.

In December of 2016 the regulator which is the entity responsible for governing POPIA compliance took office under the Department of Justice.

In December 2018 the Regulations were published in the gazette.

In July of 2020 POPIA was enforced by the Regulator with a 1 year for companies to get fully compliant.

What to do next

In conclusion the act is not put into place to deter you from doing business but rather to ensure you do business with the necessary respect for the privacy of your employees, consumers and colleagues. But we understand it can be confusing and time consuming but our POPI compliance solution includes software automation & a manual that enables companies to meet the 8 areas of consumer rights – giving you a no fines guarantee and complete peace of mind. Get in touch with us to and let us help you get POPI compliant.

Want to read more about how you can get POPIA Compliant? Bowline co-authored a book that will help you navigate privacy & security compliance in South Africa.

Written by DV Dronamraju, S’busiso Xulu, Gavin McLachian & Carl Uys

You can purchase the book online.

popi act compliance book

Risks of non-compliance

In the case of non-compliance with the act you will be liable to fines up to 10 million rand. If you do get a data breach you would need to report to the regulator within a reasonable time according to the act, the regulator has recently stated that a report would need to be made within 72 hours. Once the report is made you will be investigated by the regulator. You will also need to notify the consumers that may have had their data breached.

Making the world a safer place to live, work & play.

Reduce security risks.

At Bowline, we believe people have the right to live, work and play in a world without fear of physical attack, fraud or financial loss. We make this possible by eliminating security threats.