Protection of Personal Information Act finally commencing on 1 July 2020

personal information
30 Jun 2020

The President has proclaimed that the remaining sections of the Protection of Personal Information Act, 2013 (“POPI”) will at last now come into effect.

The operative sections of POPI that deal with the lawful processing of personal information, regulation of the processing of special personal information, the codes of conduct issued by the Information Regulator, regulation of direct marketing by way of unsolicited electronic communication and the general enforcement of POPI will come into effect on 1 July 2020.

POPI is applicable to any person, business or entity that processes personal information of data subjects, for example profit companies, non-profit companies, hospitals and medical practitioners, medical schemes, insurers, attorneys, estate agents, government departments, state owned companies and entities and municipalities (called “responsible parties”), and also to any person, business or entity that processes personal information on behalf of a responsible party, for example IT vendors or medical scheme administrators (called “operators”).

Data subjects are the natural persons or juristic persons whose personal information is processed by responsible parties and operators. Data subjects range from being clients, members or subscribers of responsible parties, for example, to their employees.

Responsible parties and operators will have 12 months from 1 July 2020 to become fully compliant with the POPI Act. This means that they will have to take the necessary measures to ensure that any personal information of data subjects that they process is appropriately protected against the loss thereof, or the unauthorised access thereof by third parties. Practically, in order to implement such measures, responsible parties and operators will have to –

  • appoint an information officer;
  • identify and asses the nature and extent of personal information that they process;
  • identify current POPI compliance gaps in their processing procedures and processes;
  • formulate a POPI compliance framework and the necessary POPI compliance policies and procedures;
  • review all operational and employment agreements, as well as online operations and terms and conditions;
  • provide training to employees on their POPI obligations and the implementation of their POPI policies and procedures.

See also:

(This article is provided for informational purposes only and not for the purpose of providing legal advice. For more information on the topic, please contact the author/s or the relevant provider.)
Zelmaine van der Westhuizen

Zelmaine van der Westhuizen is a Director in GMI’s Corporate and Commercial Department. Zelmaine joined GMI as a Candidate Attorney in 2004, and was admitted as an Attorney in 2005,... Read more about Zelmaine van der Westhuizen


Constitutional Law & Civil Rights articles by

Constitutional Law & Civil Rights articles on GoLegal