The Protection of Personal Information Act (POPIA) provides for conditions that businesses need to follow in order to process personal information lawfully. The purpose of the Act is to ensure that personal information is secure, and protect individuals against identity theft, fraud, and other breaches of their personal information. This applies to all businesses that collect personal information.

What are the steps to becoming POPIA compliant?

It is important to realise that POPIA compliance is not a once-off and requires ongoing attention. The following steps can guide a company to become compliant however certain aspects will need to be consistently followed to ensure that there is no breach with the Act.

Firstly, a company should appoint an Information Officer who will be responsible for all POPIA compliance and register him/her with the Regulator. Ideally, this person should be the CEO or managing director of the company or someone of equal standing in the company.

The company will also need to draft a privacy policy which should be made available to its employees and to clients upon request. The company should also create policies to regulate the procedures for the collection, processing, storing and deletion of personal data received from clients.

For Homeowners Associations (HOA) it would entail, amongst other things, obtaining consent from new owners to store and process their personal information, and to deal with HOA communications in terms of the Act. Invest in adequate password- and anti-virus protection, email security and secure data storage.

Data privacy will need to be implemented into all of the business functions and employees should be adequately trained to process personal information in line with POPIA.

The company should also ensure that there is communication with clients regarding the processing of their personal information.

What happens when there is non-compliance?

It is important to realise that the Regulator may inspect businesses to ensure compliance with the Act. A business may also be reported by a third party for non-compliance. If a business is found to be non-compliant by the Regulator, the person responsible for the contravention, or the Information Officer, can be fined to a maximum of R10-million, or could face imprisonment of up to 10 years.

It is highly unlikely that the enforcement committee will issue fines to first time offenders, however wilful non-compliance, such as serious data breaches and selling of personal information will likely incur fines. 

Do all businesses have to be POPIA compliant?

The Act applies to all businesses that store, process or use the personal information of its clients or members. Certain business are however able to apply for exemptions from certain obligations, depending on the nature of the business.

Where the collection of special personal information, such as religious conviction, race, criminal history etc. is required by nature of the business or entity, and it is impractical for such business to obtain consent prior to processing such information, they will be able to apply for an exemption.

Businesses that process de-identified data to the extent that the data cannot relate to a specific person are excluded from the Act in respect of that data. Processing personal information in the course of a household activity is excluded and the processing of personal information for the purpose of journalistic, literary, or artistic expression is also excluded from the Act.

Another exclusion is the processing of information by or on behalf of a public body if the processing involves national security, and the national executive and judiciary are also excluded from the scope of the Act when performing its functions.

What can you do if you are found to be non-compliant?

Section 97 of the Act creates an appeal process that a business may follow in the event of an adverse finding against them; however it is unlikely that the enforcement committee will tolerate wilful non-compliance. A responsible party may appeal to the High Court within 30 days of receiving an enforcement notice.

Make your business POPIA compliant, speak to a legal expert

Our team of Corporate and Commercial Law specialists can assist with making your business legally POPIA compliant. Whether your enterprise is large or small, we can audit your business processes and offer guidance on how to amend your operations to be in line with the POPI Act.

For Corporate and Commercial Law expertise

Basilio de Sousa

Wesley Scheepers      

Henno Bothma 

Nicholas Hayes 

David Kagan      



The articles on these web pages are provided for general information purposes only. Whilst care has been taken to ensure accuracy, the content provided is not intended to stand alone as legal advice. Always consult a suitably qualified attorney on any specific legal problem or matter.