What is POPI compliance and the steps you need to take


What is POPI compliance?

The Protection of Personal Information Act 4 of 2013 (“POPI Act”) is a new Act which governs the way in which businesses handle the personal information that they collect from others.

As such, POPI Act compliance, also known as POPIA compliance or Protection of Personal Information Act compliance, refers to the processes which need to be followed in order to bring an organisation into alignment with the provisions and requirements of the POPI Act.


Does my organisation need to become POPI compliant?

The basic rule of thumb is that if your organisation is collecting or passing on any personal information (aka processing) it is required to become POPI compliant.

What the above means is that even if you do not have sight of personal information directly, the fact that you have the ability to see such personal information or are simply passing it on requires your organisation to become POPI compliant.


What is personal information?

Personal information comprises any information relating to an identifiable natural or juristic person.  A natural person being a person like you and I, whereas a juristic person is an entity such as a business.

Based on the above, examples of personal information might include the following:

  • Race;
  • Gender;
  • Sex;
  • Marital status;
  • National ethnic or social origin;
  • Sexual orientation;
  • Age;
  • Physical or mental health;
  • Religion;
  • Conscious belief;
  • Medical, financial, criminal or employment history;
  • Email addresses;
  • Physical addresses;
  • Telephone numbers;
  • Names;
  • Biometric information.

What are the general processes to be followed in order to become popi compliant?

It is clear that the net is cast very wide as to what constitutes personal information and hence the requirement to comply with the POPI Act.

In order to become POPI compliant, the below comprise the typical processes and policies which should be put in place in order for all organisations to become POPI compliant.


Data Protection Policy

If you collect personal information from clients, suppliers, agents, independent contractors, or any other external parties, a Data Protection Policy must be put in place. A Data Protection Policy regulates how you may access, process, and in some cases, share the personal information you collect from third parties.


Application, Software or Website Privacy Policy

If you operate a website or software application which collects any personal information, it is essential that you put a Website / Application Privacy Policy in place. This Privacy Policy lays out, among other aspects, what types of personal information you collect from users of your website / application, how you use it, and who you share it with.


Operator Agreement / Data Processing Agreement

If you act as an intermediary passing on the personal information of others, or are receiving personal information from an intermediary, you must enter into a written agreement with the entity from which the personal information is received or the intermediary, as the case may be, known as an Operator Agreement or a Data Processing Agreement, to ensure the security of the personal information.


Registration of an Information Officer

Each organization that collects Personal Information must designate one of its personnel as an Information Officer and have them registered as such.


PAIA Manual (Promotion of Access to Information)

PAIA Manual is a document that explains how, when and in what context third parties can access records held by a company, and is required by all organisations.


Data Breach Policy

Data Breach Policy helps you and your employees deal with incidents that result in actual or suspected data breaches, and ensures that the right procedures are followed to report and contain breaches.


How to simplify the POPI compliance process

We understand it can be overwhelming putting all of the above policies and procedures in place.  As such, we at Legal Legends have come up with a number of POPI compliance packages where we do all the hard work ensuring that your organisation becomes POPI compliant, allowing you to sit back and concentrate on aspects matter to you.

We also have an automated POPI Act Compliance Checklist Questionnaire which will compile an automated report setting out the correct policies and procedures specific to your business that you need to have in place in order to become compliant.

Have a legal question about this blog article? Ask Harvey our AI Attorney below, for an instant answer sent to your inbox