The Protection of Personal Information Act 4 of 2013 (POPI)

The Protection of Personal Information Act 4 of 2013 (POPI) is a data protection law that aims to protect ‘personal information processed by public and private bodies’ and to ‘establish minimum requirements for the processing of personal information’. It also provides for the establishment of an Information Regulator to exercise powers relating to this Act.

POPI was signed into law on 26 November 2013, but its official commencement date is yet to be determined. Only those sections relating to the Information Regulator have so far been implemented, but once Section 114 is enacted all organisations that process personal information will have a year to comply with the Act’s requirements.

Information Regulator

As part of the Act’s implementation, those sections relating to the establishment of an Information Regulator became effective on 11 April 2014. The Information Regulator is an impartial five-person juristic body charged with:

  • Providing education about the lawful processing of personal information.
  • Monitoring and enforcing compliance with the Act.
  • Consulting with interested parties.
  • Handling complaints.
  • Conducting research and reporting to Parliament.
  • Issuing, amending and revoking codes of conduct.
  • Facilitating cross-border cooperation.

Rights of data subjects

Data subjects are defined by POPI as the persons to whom personal information relates; organisations that process personal information are ‘responsible parties’. POPI gives data subjects the right to have their personal information processed by responsible parties in accordance with eight named conditions: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation, which include the right:

  • To be notified when their personal information is collected by a responsible party, and when it has been accessed or acquired by an unauthorised person.
  • To establish whether a responsible party holds personal information on them, and to request access to it.
  • To request the correction, destruction or deletion of their personal information where necessary.
  • To object to the processing of their personal information.
  • Not to have their personal information processed for direct marketing purposes by means of unsolicited electronic communications.
  • To complain to the Information Regulator about alleged interference with personal information.
  • To institute civil proceedings regarding the alleged interference with their personal information.

Direct marketing (spam)

The processing of personal information for electronic direct marketing purposes is prohibited by POPI unless the data subject opts in, making spamming illegal.


POPI does not apply to the processing of personal information:

  • In the course of a purely personal or household activity.
  • That has been de-identified to the extent that it cannot be re-identified again.
  • By or on behalf of a public body for national security or for the prevention, detection, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures.
  • By the Cabinet and its committees or the Executive Council of a province.
  • Relating to the judicial functions of a court referred to in section 166 of the Constitution.
  • Used for journalistic, literary or artistic purposes.

Mandatory data breach notification

Where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, the responsible party must notify the Regulator and the data subject in writing as soon as possible after the discovery of the compromise, providing sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise. In some cases, the Regulator may direct the responsible party to publicise the compromise.

International information flows

Responsible parties must not transfer personal information to third parties in foreign countries unless those countries have similar data protection laws in place or the data subject consents to the transfer.

Compliance and penalties for non-compliance

Once Section 114 is enacted, all processing of personal information must be made to conform to POPI within one year (with the possibility of a three-year extension). The Regulator may impose fines for infringements of the Act, and Magistrates’ Courts may impose penalties for offences under the Act ranging from up to 12 months’ imprisonment and/or a fine to ten years’ imprisonment and/or a fine.

POPI and ISO27001

The secure processing of personal information is a key feature of POPI. Organisations looking to comply with POPI need to have a robust Information Security Management System (ISMS) in order to manage their POPI compliance effectively. Information security is a broad approach that addresses the security of information in all forms and covers paper documents, physical security and human error as well as the handling of digital data.

In order to achieve an effective cyber security posture, organisations must realise that hardware and software solutions alone are not enough to protect them from cyber threats and that a broader information security approach is needed. The three fundamental domains of effective information security are people, process and technology.

ISO27001 is the internationally recognised best-practice Standard that lays out the requirements of an ISMS and forms the backbone of every intelligent cyber security risk management strategy. Other standards, frameworks and methodologies need ISO27001 in order to deliver their specific added value.

Organisations with multiple compliance requirements often seek certification to ISO27001 as its comprehensive information security approach can centralise and simplify disjointed compliance efforts; it is often the case that companies will achieve compliance with a host of legislative requirements simply by achieving ISO27001 certification.

The latest version of the Standard, ISO27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO27001:2013 has been developed in order to harmonise with other standards, so the process of auditing other ISO standards will be an integrated and smooth process, removing the need for multiple audits.

Further, the additional external validation offered by ISO27001 certification is likely to improve an organisation’s cyber security posture while providing a higher level of confidence to customers and stakeholders – essential for securing certain global and government contracts.

How ISO27001 can help you comply with South African data protection legislation

How ISO27001 can help you comply with South African information security legislation

Written by cyber security expert Alan Calder, this free guide details how to leverage ISO27001 as a single framework for creating a cyber secure enterprise while supporting adherence to POPI and many other cyber security laws.

Enter your name and email address below to read our free guide on complying with cyber security legislation in South Africa:

Why IT Governance?

IT Governance is a specialist in the field of information security and IT Governance, and has led more than 400 successful certifications to ISO27001 around the world.

IT Governance has created ISO 27001 packaged solutions to give South African organisations online access to world-class expertise. Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.

Get started today >>