A Guide to the Protection of Personal Information Act – A Layman’s Perspective | Legal Articles


Need Legal Advice?

No Matter What Your Bind We Can Help You



Legal Articles

A Guide to the Protection of Personal Information Act – A Layman’s Perspective

As South Africa trudges towards the deadline to comply with the Protection of Personal Information Act 4 of 2013 (POPIA), much remains indicative of the fact that a good number of entities have either little or no strategy in place to comply with the Act.

This stems from not having adequate grasp of what is expected of them by the Act. Obviously, this may be tragic on one hand and costly on the other, especially realising that when POPIA came into effect on 1 July 2020 it provided for a grace period of 12 months (ending 30 June 2021) for entities to put measures in place to comply.

attorneys Cape Town

Protection of Personal Information Act Penalties

Before 1 July 2020, some sections of POPIA had came into operation as far back as April 2014. Further to this, the law holds that ignorance of the law is not an excuse.

It therefore will become a herculean task for non-complying entities to escape liability after the lapse of the deadline, and this will invite sometimes hefty penalties depending on the circumstances.

A Guide to the Protection of Personal Information Act South Africa

This brief discussion will attempt to break down the obligations of POPIA for the benefit of those even least appreciative of the law. The duty to determine how these obligations are applicable to each organisation and come up with systems to comply, indeed remain expected.

As a point of departure, POPIA describes entities that collect and process personal information as responsible parties, and those whose personal information is collected as data subjects.

For the purpose of this article and for avoidance of confusion, we will generally assume that a responsible party is a company, and a data subject is an individual/human client/customer.

Responsible parties are required by POPIA, in their collection and processing of personal information, to comply with eight conditions.

These conditions are recognised by the Act as the cornerstones of achieving integrity, transparency and responsibility in as far as lawful collection and processing of personal information is concerned. These conditions can be summarised as:

  1. Accountability – the procedures for collection and processing must pursue compliance as the main goal.
  2. Processing limitation requires that the information processed be for only the main and ancillary (if any) purposes for which it was collected for.
  3. Purpose specification requires that the aim of such collection be explicit, accurate and agreed to by the data subject.
  4. Further processing limitation requires that should a secondary purpose ensue for processing the collected information, added authorisation may be required from the data subject.
  5. Information quality require responsible parties to validate information as it is collected or within reasonable time such that the information retained for processing is accurate and complete. 
  6. Openness requires that the process of information collection and the purpose thereof be as transparent as possible, with all parties fully aware.
  7. Security safeguards, this condition requires responsible parties to ensure that they have mechanisms in place to guard against security breaches of the information gathered.
  8. Data subject participation requires that the data subject be in the know about collection, amendment or obliteration of their information.

How to Comply with POPI Act South Africa

While the conditions mentioned above may be easy at face value, the challenging part is how a responsible party can achieve these. 

Our best advice is to seek legal assistance to alleviate risks involved in the process which is fraught with legal and technical hurdles.

However, on a general note responsible parties are advised to have an office/individual responsible for compliance of data collection and processing systems, who will then embark on training staff about their obligations with regards to POPIA.

This will need having a data breach and recovery plan in place, consent documentation, privacy notices and an overhaul of the information system to recognise and fully comply with the eight conditions mentioned above.

Van Deventer & Van Deventer Incorporated – Attorneys in Johannesburg and Cape Town

The processes described above are fraught with legal and technical considerations which must strictly be adhered to, and legal assistance from our able attorneys will make the process easier, faster, and secure. 

We stand ready to comprehensively assist you in that regard as well as numerous other areas of law. Please contact us for more information.


The information contained in this site is provided for informational purposes only, and should not be construed as legal advice on any subject matter. One should not act or refrain from acting on the basis of any content included in this site without seeking legal or other professional advice. The contents of this site contain general information and may not reflect current legal developments or address one’s situation. We disclaim all liability for actions one may take or fail to take based on any content on this site.

Comments are closed for this post, but if you have spotted an error or have additional info that you think should be in this post, feel free to contact us.


Get the latest updates in your email box automatically.