Member Article

The Protection of Personal Information Act, 2013 (“POPIA”), South Africa’s privacy or data protection legislation, applies to the processing (which includes collection, use, receipt and destruction) of personal information, such as names and contact details, of individuals and juristic persons, in South Africa.

POPIA places various obligations on a “responsible party” (such as a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information).

POPIA applies to all responsible parties, regardless of size or turnover. SMEs must therefore comply too or risk facing hefty penalties (which includes fines of up to ZAR10-million, 10 years imprisonment for the head of the organisation or civil damages claimed by data subjects). POPIA is fully in effect from 1 July 2021.

In addition to general compliance with POPIA, organisations (including SMEs) are obliged to:

1. Appoint an information officer. In the absence of an appointment, this will automatically be the CEO of the organisation. Register the information officer with the Regulator;
2. Make certain mandatory disclosures to data subjects, including with whom their personal information is shared (ie, a privacy policy);
3. Develop, implement and maintain a POPIA compliance framework;
4. Develop a data protection policy;
5. Conduct personal information impact assessments to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information (ie, POPIA audit questionnaires and gap analysis);
6. Develop, monitor and maintain of a manual as prescribed in the Promotion of Access to Information Act, 2000 (ie, a PAIA manual);
7. Develop internal measures, together with adequate systems, to process requests for information or access thereto (ie, a data subject access request policy);
8. Conduct internal awareness and training sessions;
9. Include certain mandatory provisions in its agreements with operators (ie, third parties who process personal information on its behalf); and
10. In some instances, prior authorisation must be obtained from the Regulator, including where the responsible party transfers special personal information or information of children to countries without adequate data protection laws. From 1 July 2021 onwards, such processing would have to be suspended unless it has been authorised by the Regulator. In addition, non-compliance, if an offence could lead to criminal penalties. We can gladly provide advice in this regard.

It is important to note that section 77H of POPIA provides that “The Information Regulator … may make an assessment … of whether a public or private body generally complies with the provisions of this Act insofar as its policies and implementation procedures are concerned."

In addition, in terms of section 109(3) “when determining an appropriate fine, the Regulator must consider … any failure to operate good policies, procedures and practices to protect personal information”.

SMEs are not immune from being penalised for data breaches. In the UK, the Information Commissioner’s Office (the UK equivalent of the Information Regulator), in one of its first fines, issued a fine to a pharmacy in London of GBP275 000 for failing to secure physical records which contained sensitive personal information (the pharmacy had left approximately 500 000 documents in unlocked crates, disposal bags and a cardboard box in a rear courtyard of the premises). Fines have also been issued to SMEs for direct marketing contraventions (a boiler replacement company was fined GBP160 000 because they were spam calling people).

For more information about our POPIA compliance initiatives and special packages for SMEs please contact:

Era Gunning
Banking and Finance Executive
[email protected]
+27 82 788 0827

Nicole Gabryk
Dispute Resolution Executive
[email protected]
+27 82 787 9792