BBL Cape Town Branch has moved into new offices at
6 Poole Street, Brooklyn, Cape Town, 7405
You are currently viewing Guide to the POPI Act in South Africa

Guide to the POPI Act in South Africa

You’ve heard the talk of increased data privacy and the PoPI Act, but how ready is your small business for compliance? The Protection of Personal Information Act (POPIA) came into effect in 2020, but businesses will have to officially comply by 1 July 2021. Despite the change being around the corner, it is nothing to be feared. The Act is a mere formalisation of the privacy principles that already exist, and South Africa is swiftly following suit from the likes of the European Union (EU) and the United Nations (UN).


Businesses need to have a formalised process in place that proves their compliance, but as Dr Peter Tobin, a POPI Act compliance specialist point out,“Businesses that show POPIA compliance are more likely to earn the respect and loyalty of their customers and to increase their chances of local and international trading and success.”


As the Act will come into effect in just under a month, we take a look at what the PoPI act is, as well as how to be PoPI compliant.


Purpose of the PoPI Act

The PoPI Act serves to formally protect the personal information of consumers, that both private and public organisations have access to. Section 19 of The Act states that, “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—


  • loss of, damage to or unauthorised destruction of personal information; and
  • unlawful access to or processing of personal information.”


The purpose is to give consumers more control over what and how their information is being used by potentially unlawful parties, as well as ensure businesses are taking the necessary steps to safeguard personal data.


Does the Act apply to my business?

If your business in any way, shape or form acquires personal information from clients or customers, you have to comply with the POPIA.


How data is stored, processed and used must be inspected to ensure safety protocols are in place, and this information must be made available to clients or customers for full transparency. Your clients or customers may also request what personal information of theirs you have stored, and they may ask you to delete it.


If for example a customer used to have an account with a clothing store, and still receives promotional emails despite cancelling the account several years ago, the store will be in contravention of the Act. A business cannot use old customer information as part of their marketing efforts, and must delete the information after a set period of time.


How to become PoPI Act compliant

While the formalisation of this process will be new to many businesses, it doesn’t mean you have to hire a new team of data safety specialists or rehaul your system. You simply need to be aware of how the data you collect is stored and used, and ensure that robust security systems are in place to safeguard sensitive information. 

There are a few simple steps to follow to ensure your business is PoPI compliant:

1. Appoint  an information officer or team (depending on the size of your business)

2. Understand how the data you collect is processed and stored

Questions to ask your officer or team include:

Is the data you collect done so using systems that have security software?
How do clients or customers give consent for their information to be acquired?
How are clients or customers made aware of how their information will be used?
Is the data you acquire shared to third parties and if so is the client or customer made aware?
What is done with old client or customer data that is no longer in use?
Can clients or customers update how their information is stored and used?

3. Review and update your current data safety protocols and policies if needs be

4. Implement these safety protocols across your website and in any communication you have with clients or customer

5. Create or update your Promotion of Access to Information Act (PAIA) manual


How to prevent online data breaches

We can’t ever prevent online data breaches entirely, but there are a number of necessary steps you can take to protect client or customer information online. They are:

  • Register your domain name with a reliable SSL Certificate
  • Ensure your web hosting provider offers a robust data backup solution
  • Invest in a VPN solution if your employees work remotely and are connecting to various public networks


The PoPIA act is not in existence to catch businesses out, but rather to serve consumers more transparently in an age where data collection and storage is not always clear.