PoPIA FAQ: does the Protection of Personal Information Act apply to me? | PoPIA

PoPIA | Pétanque International

A burning question for most anyone in business is this: do I need to be concerned about the Protection of Personal Information Act? Does it apply to me and my business? The answer, in short, is yes. Let’s explain.


Do I need to know about PoPIA?

Any organisation – be it private or public, for profit or non-profit – that processes personal information of clients, suppliers and /or staff, is required to comply with the Act.

What does “processing personal information” mean? Personal information is information of a personal nature pertaining to clients/customers, employees, contractors and third parties. The Law clearly specifies how “personal information” is defined (with reference to section 14 of the Protection of Personal Information Act, no 4 of 2013) using a total of 48 data elements to describe what is considered personal information.

Is anyone exempt from the Act?

The Act effectively applies to all organisations that process personal information, with very few exceptions. The groups that have been excluded are:

  • journalists using the information in the public interest,
  • writers or artists using the information for literary or artistic purposes,
  • judges carrying out their official duties,
  • personal households using the information in the course of personal or household activities,
  • state bodies involved in crime prevention, and
  • the Cabinet, its committees and the Executive Council of a province.

What will happen if I don’t comply with PoPIA?

The organisation could face civil liability claims, and criminal sanctions. It could mean a fine of up to R10 million and/or up to 10 years of imprisonment. The CEO or Managing Director of the organisation is deemed to be the Information Officer of the company, and as such, would be held liable.

Apart from the legal repercussions, non-compliance could impact on market share as reputational damage, in this age of social media, could have dire effects.

Who is going to be enforcing the regulation?

The Information Regulator will govern the privacy regulation.


DISCLAIMER: We are not legal experts. Our guidance is based on practical experience by assisting other organisations, like yours, to get compliant. We always recommend that you retain legal counsel to advise on the legal aspects of the Act.


Want to know more about the basics of the Protection of Personal Information Act (PoPIA)? Read out “What is PoPIA?” blog here.

%d bloggers like this: