POPIA Act-GWM Chartered Accountants

POPIA Act-GWM Chartered Accountants

The much-anticipated Protection of Personal Information Act 4 of 2013(POPIA) comes into effect on 1 July 2021, giving businesses until the end of this month to comply with the new legislation. Whether your business is listed as a corporate or sole proprietor, the legislation is binding, if you are processing personal data.

 If you collect or hold information about an identifiable individual or if you use, disclose, retain or destroy that information, you are likely to be processing personal data. The scope of POPIA is very wide and it applies to almost everything you might do with an individual’s personal details including details of your employees.

You could face non-compliance penalties of up to R10 million or 10 years in jail, so it is very important to get your personal information records in order.

The good news is that there are a few steps you can take as a small business owner that’ll move you closer to POPIA compliance and significantly reduce the chances that you suffer a personal data breach.


1.  Appoint an Information Officer

The Information Officer must be registered with the Information Regulator on their electronic portal. If you haven’t appointed one in writing, the CEO of the company will automatically become one.

The general responsibilities of the Information Officer is:

  • Encouraging and ensuring the business’ compliance with POPIA
  • Dealing with information access requests pursuant to POPIA
  • Working with the Information Regulator in relation to investigations conducted in terms of POPIA

2.  Assess and compile a list of the personal information you currently process in your business

Personal information means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable existing juristic person, including, but not limited to:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or 5 mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the person;
  • information relating to the education or the medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone 10 number, location information, online identifier or other particular assignment to the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private 15 or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person; andthe name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information 20 about the person;
2.1  Identify where what type and by whom the information is being processed. 
2.2  Delete any record of personal information or de-identify it as soon as reasonably practicable after you are no longer authorised to retain such information for example:
  • The information is no longer necessary for the purpose for which it was obtained
  • The data subject has withdrawn their consent or never given consent for processing of information

3.  Evaluate all service agreements relating to data processing and update your contracts accordingly

Any third parties (”operators”) who hold or process any personal information for you, must act with your authority, treat the information as confidential, and have in place all the necessary security measures.

4.  Develop compliant framework

To comply with the Act, businesses must implement proper systems for getting individuals' consent and for deleting or destroying personal information once it's no longer required. They should add disclaimers to physical and digital forms where applicable, and update their terms and conditions to communicate what information they possess and how it will be used, stored and, if applicable, shared.

In your framework you must:

  • Define the purpose of the information gathering      
  • Ensure the personal information that you intended to collect is for a specific, explicitly defined, and lawful purpose that relates to a function or activity of your company
  • Determine the duration the information will be retained in order to achieve this purpose
  • Notify the person whose information is being processed about how and for what purpose the information will be processed.
  • Define how you will collect data
  • Define how you will process data
  • Define how you will store data
  •  Define how long you will store data
  •  Take steps to ensure the data you collect and subsequently process is accurate and complete     
5.  Educate your employees

Training of all relevant staff should be conducted continuously to ensure that staff are trained to understand the impact of POPIA on their particular area of focus within the organisation

6.  Check Security measures and know what to do about breaches

Brainstorm with your team all possible vulnerabilities for loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information and patch them.

Any actual or suspected breaches (called “security compromises” in POPIA) must be reported “as soon as reasonably possible” to both the Information Regulator and the data subject/s involved.

7.  Check if you do any direct marketing

Direct Marketing includes any approach to a data subject to promote or offer to supply, in the ordinary course of the business, any goods or services.  You can only market similar products to current customers, and potential new customers can only be marketed to with their consent.

POPIA establishes the rights and duties that are designed to safeguard personal data. In terms of POPIA, the legitimate needs of organisations to collect and use personal data for business and other purposes are balanced against the right of individuals to have their right of privacy, in the form of their personal details, respected. Most responsible businesses will already comply with POPIA in their normal course of business, it is just important that they now document that they have considered the POPIA requirements.

Contact us if you require any assistance with your POPIA Compliance