It most certainly is – No business, no matter the size, is exempted from POPI!


The Protection of Personal Information Act (“POPI”) is legislation that aims to protect personal information that is processed by public and private bodies. POPI therefor, applies to all bodies in the private and public sector.

Personal information is defined very broadly to include any unique and/or identifiable characteristic of a person. Such as, information regarding race, gender, marital status, health, finance, educational or medical history, views or opinions, correspondence of a confidential nature, contact details as well as biometrical information, to mention only a few.


A private body is defined to include natural persons that trade in their own name, a partnership and legal persons. A public body includes any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government, any other functionary or institution exercising a public power or function in terms of any legislation.


POPI lists eight conditions for lawful processing of personal information, Accountability, Processing limitation, Purpose specification, Further processing limitation, Information quality, Openness, Security Safeguards and Data subject participation.

“Processing” is any operation or activity whether by automated means or not, concerning personal information. Including collecting, recording, organising, storing, updating, distributing and the act of deleting personal information.

The act also refers to information that is “recorded”. This acts to include writing on any material, book, map, drawing and information produced or recoded on computer equipment.


Practically, taking into consideration the eight principles, when a body acquires your information, with your consent, it needs to be used for the purpose and extent for which it was acquired. The information then needs to be safeguarded from theft, or being compromised to ensure the integrity and accuracy of the information.

Furthermore, the Act also changes the manner of consent with regards to direct marketing. This is to avoid the sending of unsolicited commercial communication with an “opt-in” mechanism, opposed to an “opt-out” mechanism. This means that you have to choose to get commercial communication, opposed to getting it and having the option to opt-out of it. The act also provides a prescribed manner and form for the consent to be obtained with regards to marketing material.

Only certain sections are already in force, but the whole of the act will commence once the President proclaim the date. It is being speculated that this will probably be towards the end of 2018 with a one year grace-period, meaning that the act’s deadline will probably be towards the end of 2019 or 2020.


Don’t delay in compliance with the act. Not adhering to the act has very serious consequences. The act lists offences that, when found guilty, can lead to a fine of up to R10 million or 10 years imprisonment.

Contact us today to help you comply with this new era of information protection!