The Protection of Personal Information Act ( PoPIA ) was signed into South African law in late 2013 and is finally coming into full effect in June 2021

The focus, for many, has been the security implications of ensuring that personal data is not accessed without authorisation. The PoPI Act, however,  goes much further than simply defining how personal data may be captured and used. The Act governs the end-to-end life cycle of personal data within any company, irrespective of the size.

The Act provides for fines of up to R10 million, or jail terms of up to ten years, for non-compliance.

What is Personal Information?

PoPIA defines personal information as any data that may identify a natural, legal or juristic person, or distinguish that person from another. This includes aspects as diverse as religion, medical history, bio-metrics, online screen names, or even opinions of, or about, a third party.

Unlike GDPR, the PoPI Act applies to the data of any legal entity – from a natural person to a company, trust or non-profit institution. As such PoPI extends beyond customer data and governs the use of other party's data, such as data related to employees, suppliers and partners.

Data management principles are woven directly into the Act.

PoPIA weaves data management principles directly into the Act

What does PoPIA compliance require?

Broadly speaking, PoPI controls how personal information is used within an organisation, from data capture to destruction. 

Some of the requirements for PoPI include:

  • Only collecting and keeping information you need for a specific purpose

  • Limiting access to personal data

  • Ensuring the quality of personal information

  • Allowing the subject of the data to see it upon request

How does our data management practice help?


Data Governance – identify and enrol key stakeholders to define, document, communicate and enforce acceptable use policies for personal information within your organisation.

  • Condition 1 Accountability
  • Condition 2: Processing limitation
    • Data collection policies
  • Condition 3 & 4: Valid Purpose
  • Condition 3: Retention policies
  • Condition 5: Data quality standards and rules
  • Condition 7: Security policies
    • Breach management process
    • Data sharing agreements

Data Quality – ensure that personal data used within your company is of an acceptable level of quality and measure compliance to data governance policies.

  • Condition 5: Data quality standards and rules

Master Data Management – ensure that you can provide an accurate indication of what data you are holding about each subject, irrespective of the channel they use to communicate with you.

  • Condition 5: Data Quality standards and rules
  • Condition 6: Data subject notifications
  • Condition 8: Subject access

Metadata Management - understand where sensitive data is stored, and how it moves through the organisation

  • Process register
  • Personal data inventory
  • Data quality metrics

Data Security – identify and control where personal data is held,  who has access to it and whether this access is appropriate.

  • Condition 3 & 4: Valid Purpose
    • Role-based security at the column level
  • Condition 7: Security policies
    • Section 19, 20, 21: Dynamic encryption and masking at rest and in movement
    • Section 20, 21: No sharing of keys with 3rd parties including cloud providers
    • Section 22: Real-time monitoring and behaviour-based alerts 


Data privacy

Govern, Protect and Monitor your Personal Data


PoPIA Accelerator

Fast-track compliance with pre-built operating model


Analyst Report

Data Privacy, Data Security, and Data-Related Compliance

analyst report

Data Classification

Data Privacy, Data Security, and Data-Related Compliance


Free Joomla! templates by AgeThemes