Stay Home. Stay Safe. Stay Informed. Visit


compliance policy procedure conformity obedience conceptIntroduction

Think about how broad the definition of “personal information” (PI) can be: customers, beneficiaries, employees, suppliers, donors, in fact anyone we interact with as an organisation. The Protection of Personal Information Act No. 4 of 2013 (POPI Act) was signed into law in November 2013 and fully commenced in July 2021, including the enforcement powers of the Regulator ( ). Organisations that determine the purpose and means of processing PI (called the Responsible Party) must be fully compliant or face the prospect of some potentially stiff penalties (including fines of up to R10 million) – or worse – reputational damage and loss of support from stakeholders. That’s the “stick” part of the deal. The “carrot” aspect is the opportunity to boost confidence in your organisation by demonstrating the way you manage sensitive personal data. Personal Information includes (but is not limited to) PI of clients, suppliers and employees, whether they are in emails, invoices, databases or printouts. This means showing you have processes and procedures in place to handle effectively and securely all aspects of what’s covered in the POPI Act (POPIA).

Where does POPIA Come From?

Privacy and Data Protection Acts have already existed in other countries for several years. Examples of these are the European Union (EU) Data Protection Act which came into effect in 1995, updated as the General Data Protection Regulation (GDPR, 2016) the UK Data Protection Act. The POPI Act is modelled on the 1995 EU legislation to a large extent, and POPIA has been written to ensure that South Africa is in line with international best practice.

What Does POPIA mean to my organisation?

There’s lots to consider, including:

  • Personal information will have to be protected and processed in a different way, in accordance with the conditions of the law;
  • Employee and other PI may not be disclosed to another party without the person’s consent or under other strictly controlled circumstances;
  • Employee and other PI will have to be destroyed in a controlled manner when the purpose for which the information is held is no longer valid;
  • Standards will have to be defined for shredding equipment similar to standards in other countries so that the new law can be applied to these in an appropriate manner;
  • Steps should be taken to ensure that personal information stored on removable media such as memory sticks is protected in a controlled manner and consideration should be given to providing advice to consumers.

POPIA “Do’s and Don’ts”:


  • Understand what the POPI Act means to your business;
  • Make sure you have assigned ownership for compliance with POPIA;
  • Start by conducting an assessment of how far you are already compliant;
  • Develop a plan to address areas of noncompliance identified;
  • Engage with all the relevant stakeholders impacted by POPIA;
  • Remember the “stick and carrot” aspects of POPIA;
  • Think about the implications of POPIA for the products and services you provide.


  • Ignore POPIA; it won’t go away!
  • Underestimate the amount of work that is required to change your business policies, processes and procedures, documentation and systems;
  • Panic! POPIA compliance is more like climbing Table Mountain than Mount Everest;
  • Rush into your compliance efforts; take a structured, project-based approach to make your compliance efforts effective.

So Where Should you Start?

A number of steps should be taken to prepare for POPIA. These include:

Organisational – start a POPIA preparation programme and appoint an Information Officer to drive your POPIA compliance initiatives; an awareness and training programme should be prepared and delivered so that everyone in the business understands the implications of POPIA;

Legal – review contracts with service providers where personal information is stored on your company’s behalf; for example, if you have outsourcing arrangements in place, ensure that these are amended to include personal information protection. This applies to business partners as well, here customer or donor information is shared with them;

Business – identify processes where personal information is involved. Examples include donor and supplier information, and the handling of employee information. These processes should be amended to ensure that they comply with the principles in the POPI Act;

Technology – electronically stored personal information should be identified and steps taken to ensure that such information is protected in line with the security safeguards principle contained in the Act.


Copyright © - Dr Peter Tobin, 2021 & Mr John Cato. An earlier version of this article was published at   

Author contact details:

Dr Peter Tobin, BA(Hons), MBA, DPhil, CGEIT, CIPM, PMP. Dr Tobin is founder of Peter Tobin Consultancy and is a Partner of The Change Collective. For more information please email: This email address is being protected from spambots. You need JavaScript enabled to view it.   

Mr John Cato, Certified Data Protection Officer, is founder of IACT-Africa. For more information please email: This email address is being protected from spambots. You need JavaScript enabled to view it.

This article was submitted by Dr Peter Tobin.

All Posts

Admin Log in

Login to your account

Username *
Password *
Remember Me