<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=492489&amp;fmt=gif">
Group 403

What you need to know about POPIA

November 25, 2021
Read Time 3 mins

The Protection of Personal Information Act came into effect on 01 July 2021. Combined with the Promotion of Access to Information Act, in our world they are referred to as POPIA. Tarsus Technology Group recently hosted a webinar titled “Understanding POPIA” in which we shared our experiences of POPIA and how it affects a business.


Covered In This Article:

What does it mean to protect data privacy?
Why personal information must be protected
What does it mean to protect data privacy?
What are the rules?
The eight POPIA conditions
What are the consequences of not being POPIA compliant?
What are the quick wins for organisations that are lagging??

Albert Gerber, Chief audit executive, Alviva Holdings and Senzo Mbhele, Head of employee experience and innovation marketing, Tarsus Technology Group.

Failure to comply with the requirements of the POPI Act could have dire consequences.

It’s true to say that this is a complicated subject and that most organisations have neither the internal expertise nor the time or budget to get a full grasp on the topic.

For those who were unable to watch the webinar here is an overview of the discussion and how the subject of the requirements of the Act was unpacked.

Why Personal Information Must Be Protected

Data has become the single biggest asset for any company. When a security breach takes place, it’s not just an internal problem – attackers are after the personal information that organisations store. Data breaches regularly expose millions of personal data records which criminals use to commit fraud or identity theft.

POPIA gives individuals – referred to as data subjects – the right to know what’s happening with their personal information and impose stringent fines on organisations that fail to protect data privacy

What Does It Mean To Protect Data Privacy?

It means handling personal data with respect for confidentiality and anonymity. This applies to all data related to individuals, such as their names, birth dates, addresses, identity numbers, financial data and medical records.

Failing to ensure data privacy can have negative repercussions for organisations. Even a single leak of personal data can have a serious impact on an organisation's financial well-being and its reputation, as investor and customer trust can be irreparably damaged.

To protect data privacy, organisations need to understand what data they have, where its located, who can access it, how it is secured, and how it will be destroyed when the organisation no longer needs it.

What Are The Rules?

POPIA is not rules-based, which makes it tricky as it is not possible to simply do a tick box exercise and expect that all requirements have been met.

The key to understanding the Act is that it is based on reasonableness. Its purpose is to protect people’s personal information, to prevent their identity and money from being stolen, and to protect their privacy

The 8 POPIA Conditions

For organisations to ensure that they lawfully process information, where process refers to the ‘cradle to grave’ handling of information, they need to comply with eight POPIA conditions:

1: Accountability
All organisations must appoint an information officer who will be responsible for ensuring that information is protected, and controls are in place to enforce protection.

2: Processing limitation
The information must be collected in a reasonable manner, with the consent of the individual, and the amount of information must be relevant and not excessive.

3: Purpose specification
Personal information must be collected for a specific purpose and the data subject must be made aware of the purpose for which it was collected.

4. Further processing limitation
Personal information cannot be passed on to a third party, such as a medical aid or retirement fund, for further use without the consent of the data subject.

5: Information quality
The personal information that has been collected must be complete, accurate, and up to date.

6: Openness
The organisation must be open about the collection of personal information and must ensure that the data subject has been made aware that their personal information is going to be collected.

7: Security safeguards
Security safeguards must be put in place to ensure the integrity and confidentiality of the information.

8: Data subject participation
Data subjects have the right to request whether or not an organisation holds personal information about them and to request a description of the information.


POPIA ensures that South African data laws are fairly aligned with international requirements.

POPIA is comparable to the European Union’s General Data Protection Regulation (GDPR) and shares many of the same principles, granting citizens specific rights over their personal information, requirements for data processing, defining personal information for end-user protection, fines for privacy violations, and the formation of the Information Regulator (SAIR) to enforce and monitor the laws.

What Are The Consequences Of Not Being POPIA Compliant?

The consequences of non-compliance are significant. POPIA imposes various criminal offenses for non-compliance, including imprisonment not exceeding 10 years, or a fine not exceeding R10 million – or both.

In addition to penalties, the reputational damage is huge and the effect on the organisation can be devastating.

What Are The Quick Wins For Organisations That Are Lagging?

  • Appoint a data protection officer: Every organisation should have a person who is responsible for ensuring that it complies with POPIA and with the conditions for the lawful processing of personal information.
  • Train employees: Employees must have a basic working knowledge of POPIA and what the compliance obligations are. All employees who process personal information as part of their daily work duties need specific training. This includes sales managers, marketing managers, and customer-facing employees.
  • Create a privacy policy: Any organisation that collects or processes personal information about any individual need to have a privacy policy. It demonstrates to people what will be done with their data. A privacy policy should also appear on all websites that collect personal information about visitors.

To get the full story, watch the POPIA webinar here.

For further information on POPIA, visit the Protection Of Private Information Act, here

Subscribe to our blog