A Business Owner’s Guide To POPIA

01 July 2021

The Protection of Personal Information Act (POPIA) has become legally enforceable today.


Whether you are a local start-up or a large multi-national corporation who gathers the data of South Africans, all businesses must ensure POPIA compliance to avoid hefty fines if caught out.

Consequences include fines totalling R10 million and prison sentences of up to 10 years for complete breach of the Act, while minor offences are punishable with a fine and a prison sentence of a maximum of 12 months.

The Act provides eight conditions under which personal information may be legally gathered and processed.

  1. Accountability: the business must delegate a responsible party who will be held accountable for any failings relating to POPIA – the CEO will assume this role by default. Additionally, the business must create policies and procedures to ensure constant POPIA compliance.
  1. Processing Limitation: personal information must be processed in accordance with the law and only with the consent of the data subject. Any personal information gained from any source, such as directly from the data subject or from a third party, must be gained and processed with the explicit consent of the data subject.
  1. Purpose Specific: personal information can only be processed for the reasons that a data subject’s consent originally granted. For example, if a data subject grants permission for their personal data to be used for medical purposes, that information cannot be sold to advertises. Additionally, personal data must be destroyed once it has served its purpose or after an agreed-upon timeframe.
  1. Further processing limitation: personal data cannot be reprocessed or processed for a secondary purpose unless that purpose is compatible with the original purpose for which it was collected. If this is done, the data subject has to be consenting.
  1. Information quality: a business must take reasonable steps to ensure that a data subject’s information is complete, accurate and up to date.
  1. Openness: the data subject must always be aware that you are collecting their data and for what purpose that information will be used. The business must be able to prove that a data subject was made fully aware and that their explicit consent was obtained before any of their data can be gathered or processed.
  1. Security safeguards: a business must ensure that all its data is properly stored and processed so as to protect against the risk of loss, unlawful access, interference and modification or unauthorized destruction, disclosure and distribution.
  1. Data Subject Participation: data subjects may always request knowledge of where and how their data is being stored. Data subjects also retain the right to request the immediate correction or deletion of any personal data. 

You can read the comprehensive legal information within the official POPIA documentation here.

Regarding security safeguards – namely properly storing and processing data so as to protect against the risk of loss, unlawful access, interference and modification or unauthorized destruction, disclosure and distribution – POPIA requires there to be reasonable precautions present to protect against “reasonably foreseeable risks”.

This means that a business should be able to make a defendable legal case against the regulator and avoid severe penalties in the event falling victim to a major, highly advanced cyber-attack, with certain precautions in place. 

So what happened with Equifax? An examination of the 2017 breach reveals that the severerity of Equifax’s punishment matched their negligence in adequately protecting against online threats, as well as mishandling their systems breach once it had been discovered. 

Exceptions to POPIA

Some branches of the South African state are exempt, such as parliament and the judicial system, while information that is for purely personal or household activities, journalistic, literary or artistic purposes are also excluded.

Businesses cannot afford to omit “menial data” such as the emails and messages which are found on employee laptops and hard drives. Although this data is easily overlooked, businesses have a legal obligation to protect such commonplace data; failure to do so could result in serious penalties.

Businesses cannot rely entirely on third parties to become POPIA compliant. Small businesses especially may try and outsource their POPIA compliance to their service providers and cloud partners, but they should not necessarily rely on these third parties for their own POPIA compliance. POPIA does not allow a business to fully outsource their POPIA compliance to a data operator, but a business can and should ensure that their data operator processes data legally and is ready to properly alert them in the event of a data breach.

Finally, it is important to note that every business operating in South Africa has to be POPIA compliant. This means that a large multinational which gathers data in South Africa (such as Facebook) must adhere to the same standards as a small tech-start up based in Johannesburg. 

POPIA has caused headaches for Facebook – its subsidiary company WhatsApp has come up against the Act in its attempts to enforce a new user/privacy policy that requires the user to consent to a wide array of data collection and processing.  

Although some businesses may view POPIA as a source of unwelcome stress, the Act can be viewed as great leap forward which benefits both companies and their consumers.

By promoting world-class data storage standards and responsible processing limitations, POPIA protects the legitimate interests of all parties. Business can operate within a clear legal framework, which ensures that, so long as compliance with POPIA’s guidelines is ensured, businesses can protect themselves from ruinous prosecution in the event of a hack.

A business should view their consumer’s data as their personal asset that the business is responsible for safeguarding and handling in a professional and secure manner. With this mindset, the introduction of POPIA should be welcomed as a way for businesses to develop better data handling skills. If a business can translate POPIA compliance into a marketable commitment to excellent data handling and privacy standards, then that business stands to not only improve the experience of its existing clients, but gain new customers as well.


Back to Blogs