24/03/2026
The Protection of Personal Information Act (POPIA) is South Africa's data protection law that came into full effect on July 1, 2021. It mandates that public and private bodies handle personal information lawfully to protect the constitutional right to privacy, with severe penalties for non-compliance including fines up to R10 million or imprisonment.
Key Aspects of POPIA
Purpose:
To protect the personal information of individuals and companies ("juristic persons") processed by organisations.
Definition of Processing: Covers collecting, receiving, recording, organizing, retrieving, using, storing, distributing, and destroying data.
Key Principles:
Accountability: Taking responsibility for data protection.
Processing Limitation: Collecting only the minimum data required for lawful purposes.
Purpose Specification:
Defining exactly why data is collected and erasing it when no longer needed.
Security Safeguards: Protecting data from hacks, breaches, and misuse.
Data Subject Participation:
Allowing individuals to request access to or correction of their data.
Compliance Requirements: Organizations must appoint an Information Officer, draft a privacy policy, train employees, and report breaches to the Information Regulator.
Information Regulator: An independent body (established under the Act) that investigates complaints and enforces compliance.
Penalties:
Violations can result in severe fines (up to R10 million) or imprisonment for up to 10 years.
The Act strikes a balance between protecting personal information and allowing the free flow of information for economic and social purposes