South Africa’s Protection of Personal Information Act (POPIA) came into effect on 1 July 2021. After a 12-month grace period, and 7 years after it was initially passed in 2013, POPIA is now South Africa’s comprehensive data protection legislation.
The goal of the POPIA is to enable data subjects with constitutional privacy rights and protect them from security breaches, theft, and discrimination. The Act establishes eight minimum requirements for lawful processing, creates a broad definition of personal information, and gives individuals increased control over how their personal data is collected and used by businesses.
South Africa’s POPI Act is the latest addition to the growing trend of data privacy laws around the world after the lead of Europe’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in 2018.
Read the official text of the POPIA here.
Who does POPIA apply to?
POPIA will apply to any company any organization irrespective of the size, sector or location that process the personal information if the organization is
- Based in South Africa, or
- Based outside of South Africa, but processes personal information within South Africa (unless it is only forwarding personal information through the country)
This means any non-South African business that does business in South Africa should comply with the POPIA regardless of whether or not the business has any physical presence in the country.
|POPIA applies to organizations that are based in South Africa or process personal data in South Africa.
The data processing is not limited to the citizens or residents of South Africa.
|GDPR applies to any organization that processes the personal data of EU residents.
What’s personal information under POPIA?
Personal information means any information relating to an identifiable, living, person or juristic persons (companies/organizations) including, but not limited to —
- Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, disability, religion etc.
- Information relating to the education, medical, financial, criminal or employment history, and biometric information
- Identifiers like e-mail address, physical address, telephone number, location data, online identifier IP addresses, cookies, unique IDs, search and browser history
|POPIA applies to the personal information of natural persons (people) or juristic persons (organizations).
|GDPR applies only to the personal data of natural persons (people).
Key definitions of POPIA
POPIA borrows the concepts of GDPR with slight modifications to terminologies.
- The data subject: the person to whom the information relates.
- The responsible party: the person, public or private body who determines why and how to process the personal information. They are referred to as controllers in the GDPR.
- The operator: a person who processes personal information on behalf of the responsible party. Also called processors in the GDPR.
- Special personal information: this includes all information relating to a person’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information or criminal behaviour. POPIA also regulates the personal information of children.
What are the lawful bases of processing in POPIA?
POPIA establishes eight conditions for lawful data processing.
1. Accountability: The responsible party (your business) must ensure POPIA compliance in respect of all the processing of personal information.
2. Processing Limitation: You must process personal information if it is adequate, relevant and non-excessive and must collect personal information directly from the data subject i.e. consent has been taken.
3. Purpose specification: You must only collect personal information for a specific, explicitly defined purpose, and you must not retain the information for longer than necessary to meet that purpose.
4. Further processing limitation: You can process personal information for only the purpose it was collected and ensure that the processing is compatible with the purpose.
5. Information quality: You must ensure the personal information you maintain is complete, accurate, up-to-date and not misleading.
6. Openness: You must main documentation of all processing and that transparent information is provided to the data subject on how and why you process their personal information.
7. Security safeguards: You must take reasonable technical and organizational measures to secure personal information. In case of data breaches, you must also notify the regulator and the data subject as soon as reasonably possible.
8. Data subject participation: You must allow data subjects to access their personal information, including the identity of any third parties it is shared with. Data subjects should also be allowed to correct or erase any inaccurate personal information.
What is consent in POPIA?
POPIA mentions consent as a legal basis for processing personal information and includes provisions on how consent must be obtained and can be withdrawn. POPIA defines consent as “voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.”
Similar to GDPR consent requirements, consent must be given voluntarily i.e. the data subject must have an active choice and consent should not be made conditional for using a product, service etc. Consent should also be taken for a specific purpose and cannot be vague, or ambiguous. The data subject should be made aware of what they are consenting to and how their data will be processed upfront. POPIA states that the “personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party”.
What are the rights of individuals in POPIA?
POPIA creates the following rights for data subjects.
- Right to be notified about the collection and processing of personal information, including any unauthorized access
- Right to access personal information
- Right to request correction, destruction or deletion of personal information
- Right to object to the processing of personal information, on reasonable grounds
- Right to object to the processing of personal information for the purpose of direct marketing by means of unsolicited electronic communications
- Right to not be subject to decisions based solely on automated processing of personal information
- Right to complain to the Information Regulator
- Right to initiate civil proceedings against any violation
What are the penalties under POPIA?
Violations of the POPIA can lead to penalties from the Information Regulator, including:
- A fine of between 1 million and 10 million ZAR (approx. €490,000)
- Imprisonment for a term of up to ten years for certain violations
The POPIA also contains a private right of action, meaning that individual data subjects can bring a private legal claim against a responsible party and get compensation for the damage they have suffered.
|Maximum fine of 10 million ZAR (approx. €490,000). Provision for up to 10 years of imprisonment.
|4% of global annual turnover or €20 million.No provision for imprisonment.
Read more about the top GDPR fines of 2020 & 2021.
Who is the regulator of POPIA?
Like GDPR’s Supervisory Authority, POPIA establishes an Information Regulator in South Africa. The Regulator has investigatory powers such as the authority to conduct an investigation of a private or public body, as its own initiative or upon complaint. The Regulator also has corrective powers to issue enforcement notices, issuing codes of conduct and promote awareness about POPIA and data subject’s rights. The Information Regulator will also handle complaints lodged by data subjects, look into dispute resolution mechanisms in such cases.
|Established an Information Regulator under Section 39 of POPIA.
|Each member state can establish a Supervisory Authority and determine its roles and responsibilities.
Does POPIA require a data protection officer?
POPIA defines the concept of an information officer as the head of a public body such as the highest-ranking officer of a government department or municipality. For a private organization, the head i.e. the CEO will be the information officer by default.
The main responsibilities of an information officer include:
- To encourage POPIA compliance as per the lawful processing of personal information
- Deal with any requests made to the responsible body in relation to POPIA
- Work with the Information Regulator in relation to investigations conducted
|POPIA does not define the qualifications of the information officer.
|The Data Protection Officer is designated on the basis of expertise in data protection law and practices.
Read more about the Data Protection Officer of GDPR.
What are the similarities between POPIA and GDPR?
POPIA shares many similarities in their approach to data protection and draws heavily from GDPR particularly with respect to their scope, key definitions, data subject rights.
- Both GDPR and POPIA share a set of principles around transparency and accountability.
- GDPR and POPIA share similarities in how they define data controllers, responsible parties, processors, operators, and data subjects.
- The laws establish limitations on data collection and processing and provide for legal grounds for the processing of personal data.
- GDPR and POPIA give data subjects’ rights such as the right to access their personal data, correct or delete their data, and the right to object to processing and direct marketing and the right not to be subject to automated decision making.
- Data subjects have the right to compensation from the responsible party for any damages caused due to violations.
- GDPR and POPIA mandate data breach notifications to the respective authority and the data subjects.
- Both laws place restrictions on data transfers to other countries with exceptions such as — the other country has an adequate level of data protection, the data subject has given consent, or the transfer is necessary to fulfil a contract etc.
How to comply with POPIA?
- Appoint an Information Officer.
- Raise awareness about POPIA and educate employees.
- Audit and map all the personal information you collect.
- Amend contracts with vendors as per the requirements of the Act.
- Conduct a security risk assessment to measure your businesses’ security framework.
- Report data breaches to the Information Regulator and data subjects.
- Regulate the transfer of personal information to other countries.
- Establish a mechanism for the data subject’s to exercise their rights such as access to, correct, delete their personal information.
- Obtain prior consent before processing data i.e. collecting, storing, sharing the data etc.
- Obtain cookie consent before deploying cookies on your website. You can use a cookie consent solution like CookieYes.
How can CookieYes help you get POPIA compliant?
CookieYes is a cookie consent solution used by 1 million+ websites worldwide for compliance with privacy laws like GDPR, CCPA, LGPD, CNIL.
As cookies are considered as online identifiers in POPIA, they fall under the scope of personal information. This means your website needs to have an adequate cookie consent mechanism in place.
CookieYes helps you generate a compliant cookie banner for your website, so you get prior user consent. You can fully customize the content, layout, colours, behaviour and display an auto-translated banner in 30+ languages as per the user’s location.
You can scan your website for cookies, auto-block third-party scripts such as Google Analytics and Facebook Pixel. You can also record user consent and export it to demonstrate compliance.
Get ready for POPIA with CookieYes. Get started with a 14-day free trial.