The Information Regulator published the "Regulations relating to the Protection of Personal Information" in the Government Gazette on 14th December 2018 42110, RG 10897, GoN 1383 (just when we were all going off on holiday.)

Regardless of the timing, in terms of Section 114 (1) of the Act, "All processing of personal information must within one year after the commencement of this section be made to conform to this Act".  In the absence of any further statements or notifications from the Regulator, we must assume that this means we will need to comply by the end of 2019.

I have attached a copy of the Regulations, which can also be downloaded from POPIA Regulations or from: 

The pressure is now on.  Contact me at This email address is being protected from spambots. You need JavaScript enabled to view it. to see how we can assist you in fast-tracking your POPIA compliance.

Protection of Personal Information (POPI) isn't new in South Africa.  The Protection of Personal Information Bill was around in 2009, which meant that the discussion had been going on for years before that.  We became used to talking about POPI, and the Information Regulator is now prefering to use the term POPIA, or POPI Act. 

Is there a difference?

What is POPI?

POPI stands for Protection of Personal Information.  Regardless of whether there is a law or not, organisations should be considering what Personal Information they capture, manage and store, and how best to secure this.  It make common, logical sense that this information is sensitive, and shouldn't be exposed.  One of the principles that we all should consider is "privacy by design".  This means that we should consider privacy implications in all our processes and systems, and build security and privacy concepts into the day-to-day operation of our organisations. POPI is all about Privacy, and this means security.  In order to secure information, organisations need to clearly understand what information is gathered and kept.  This is going to require a detailed investigation and shouldn't be seen as a trivial exercise.  Once understood, steps need to be taken to protect the information.

What is POPIA?

POPIA stands for the Protection of Personal Information Act, Act No. 4 of 2013 or POPI Act.  This is the new law and is something that most (if not all organisations) will need to follow.  Is there a difference between POPI and POPIA?  Yes and no.  POPI is the act of protecting Personal Information.  This implies that all the policies, procedures, processes and practices in the organisation relating to personal information, are in fact doing POPI.  You cannot "do" POPIA, as this is merely the name of the law. In summary, in order to comply with POPIA, you need to implement a POPI programme.  In order to implement, there are a number of steps which need to be followed and a number of documents and instruments which need to be developed.   We'll be documenting these as things progress.  Join our mailing list to  keep up to date with latest POPIA developments.

Much of the Personal Information that is kept will be in the form of data in databases or systems, and the rest will be in form of documents or records.  Managing these correctly is imperative under POPIA.  This article will build on the records management elements that will need to be implemented in order to fully comply with the Protection of Personal Information Act.

Sections 100 – 106 of the POPI Act deal with instances where parties would find themselves “guilty of an offense”. The most relevant of these are:

  • Any person who hinders, obstructs or unlawfully influences the Regulator;
  • A responsible party which fails to comply with an enforcement notice;
  • Offences by witnesses, for example, lying under oath or failing to attend hearings;
  • Unlawful Acts by responsible party in connection with account numbers;
  • Unlawful Acts by third parties in connection with account number.

Section 107 of the Act details which penalties apply to respective offenses.

If someone is alleged to be in breach of the POPI Act, a complaint may be submitted to the Information Regulator.

This complaint will be dealt with by an adjudicator.If a person is not happy with the determination of the adjudicator, they can still approach the Information Regulator for another ruling.

Disputes and breaches are covered in great detail in the Act and the Act should be consulted before drawing up Policies and Procedures to handle such matters.

This article must be read in conjunction with the POPI Act which can be downloaded from Act No. 4 of 2013 : Protection of Personal Information Act, 2013


Page 1 of 3