The Protection of Personal Information Advanced FAQ |PoPIA

PoPIA l Petanque International

While the Protection of Personal Information Act (PoPIA) is clear in its directives, the practical application of these requirements is raising questions. Our PoPIA Team answers some of the more advanced questions that are being asked.

In the event of a data breach how will organizations be expected to disclose such a breach and to whom? Does POPIA mean that a company will have to declare it if they’ve been breached?

Section 22 of the Protection of Personal Information Act, 2013 (hereafter referred to as POPIA) states that the responsible party must notify the Regulator and the data subject/s of any breach.

It is stated that this notification must be done as soon as possible i.e. the responsible party may not delay notification. Such a delay is only acceptable if the data subject/s identity is unknown.

The data subject/s must be notified in writing (by letter or email).

The Regulator may instruct the responsible party to publicise the breach if this publication would protect the data subjects and enable them to timeously deal with the consequences of any breach.

How will cloud service providers, who host servers for companies that collect personal information, be impacted by POPIA?

In section 72 of POPIA the clause states that a responsible party may not transfer personal information into a jurisdiction where privacy regulation does not offer the same protections to data subjects as POPIA.

Therefore, cloud service providers will have to evaluate privacy protection regulation in jurisdictions where they host servers and ensure the standards of privacy protection are similar to, or more stringent, than South Africa’s regulation. Cloud service providers should furthermore disclose to responsible parties the jurisdiction/s where servers are hosted and, responsible parties who utilise the cloud computing service providers will need to manage the outsourced relationship to ensure the requirements of POPIA are met.

How does POPIA impact on production data used in a development or test environment for software testing purposes?

Personal Information (PI) being used for testing or development purposes must be de-identified, wherever possible, as a security safeguard

If the PI cannot be de-identified, then the same level of security safeguards which apply to the lawful processing of PI must apply to the PI used for testing and development.

What is seen as “reasonable controls” as per Principle 7 of POPIA?

To meet the requirement of reasonability as outlined in principle (condition 7) the standard of law is the prevention of loss of PI, damage to PI or unlawful processing. Condition 7 says the responsible party must complete a risk assessment of all foreseeable events which could lead to the loss, damage of unlawful processing of PI and put controls in place to prevent these occurrences.

Consideration should be given to structured and unstructured processing of PI. Encryption of all mobile devices and laptops would be considered a minimum control. Strict management of data leakage via the usage of USB ports, secure email, usage of cloud storage such as drop box, secure printing, file share and SharePoint sites, paper waste management and the physical security of paper based PI records should all be considered.


There is no doubt that there will be more questions popping up as the practicalities of PoPIA are considered. As with any new regulation, it will take some time to get clarity on all the nuances of the regulation. In the mean time though, please share your questions by dropping us a line at popi(at)

%d bloggers like this: