POPIA | South Africa’s Protection Of Personal Information Act

To learn more about our services, leave your contact information here, and we will get back to you, or call 03-9450630.

What is POPIA?

POPIA is South Africa’s Protection of Personal Information Act. It was designed to protect South African residents from privacy violations like identity theft and fraud. The law establishes conditions and restrictions for using and processing personal information.

The law came into force on July 1, 2020, but organizations were given a grace period and only had to meet the requirements starting from July 1, 2021.

POPIA defines and refers to 3 parties:

1. The Data Subject: the person to whom the information refers.
2. The Responsible Party: the person or organization decides how to process the data and for what reasons. This includes for-profit companies, nonprofits, governments, government agencies, and individuals.
3. The Operator: someone who processes personal information on behalf of the Responsible Party (e.g., an IT service provider).

The law outlines the Responsible Party’s duties and states that Responsible Parties may only receive services from Operators who can comply with POPIA.

Who has to comply?

All organizations and individuals process personal information, including corporations and government bodies. Unlike regulators in other countries, the South African regulator has decided that small and medium-sized businesses are

not exempt from POPIA. While exemptions for private individuals and small companies may be introduced in the future, this is not guaranteed.

To become POPIA compliant, you need to:

• Appoint an information security officer.
• Prepare a document detailing your organization’s privacy policy.
• Raise your employees’ awareness of privacy concerns.
• Amend and adjust your contracts with existing operators.
• Report any information security gaps to the regulator and relevant data subjects.
• Check that data transfers to other countries are carried out legally.
• Only share information in ways that meet the law’s requirements.

What happens if you fail to comply with POPIA:

Responsible parties who fail to comply with POPIA may be subjected to the following:

1. A fine ranging from 1 to 10 million rands (from over NIS 220,000 to over NIS 2 million) or 1–10 years of imprisonment.
2. Monetary compensation to the relevant data subjects.

However, imprisonment for a POPIA violation is highly unlikely, and the fines are relatively small relative to South Africa.

That being said, POPIA violations risk damaging your company’s

reputation, which means you might lose clients and be unable to find new ones.

Of course, your primary motivation for complying with POPIA should be to protect people from privacy violations and personal information loss.

Why choose Hermeticon? We’re glad you asked!

Hermeticon’s bespoke personal service means we can give you precisely what you need—no more, no less.

Working with us, you will receive best-in-class professional support. The team we will assign to your project will include a regulatory compliance consultant with proven information security expertise, a legal advisor, and a project manager whose job is to make sure the project is on schedule and to keep you happy!

A carefully crafted work plan is critical! A neat and detailed work plan is a great way to impress the regulator (though, of course, following the project is important too). Luckily for you, work plans are one of our specialties!