What is POPIA?
The Protection of Personal Information Act (POPIA) is South Africa data privacy law that came into full effect on 1 July 2021. Every business that collects, stores, or processes personal information must comply or face fines of up to R10 million and possible imprisonment.
Who Does POPIA Apply To?
POPIA applies to any person or organisation that processes personal information of SA residents, including:
- Small businesses collecting customer details
- Companies storing employee records
- Websites with contact forms or newsletters
- Anyone using WhatsApp for business communications
8 Conditions for Lawful Processing
- Accountability - Appoint an Information Officer
- Processing Limitation - Only collect what you need
- Purpose Specification - Be clear why you are collecting data
- Further Processing Limitation - Do not use data for other purposes
- Information Quality - Keep data accurate and up to date
- Openness - Have a Privacy Policy
- Security Safeguards - Protect data from breaches
- Data Subject Participation - Allow people to access or delete their data
Practical Steps to Comply
- Register your Information Officer with the Information Regulator (free, online)
- Create a Privacy Policy for your website
- Audit what personal data you collect and why
- Secure your systems with passwords, encryption, access controls
- Train staff on data handling
- Have a data breach response plan
Penalties for Non-Compliance
The Information Regulator can issue fines up to R10 million. Serious breaches can result in imprisonment of up to 10 years. Do not ignore this.