South Africa’s comprehensive privacy law known as the Protection of Personal Information Act (POPIA) came into effect on July 1, 2021. POPIA or POPI Act gives individuals the constitutional right to privacy by safeguarding their personal information at the same time protecting the flow of information.
According to a recent survey by TPN Credit Bureau on how ready companies are for POPI, only 8% of the businesses scored above 80% for their POPIA readiness. It’s time for businesses in South Africa to brace themselves for POPIA and take appropriate measures to get compliant.
What is POPIA law?
The Protection of Personal Information Act (POPIA) aims to protect the citizens of South Africa similar to the data privacy standards established by the GDPR in the EU. Here’s a POPIA summary:
- Sets out the rules and regulations for processing information about individuals and juristic persons
- Provides rights to individuals regarding their personal information
- Establishes an independent regulator to enforce the regulation
The key definitions under POPIA are:
- The data subject: the person to whom the information belongs.
- The responsible party: the person or organisation who process personal information such as individuals, businesses, non-profits, and governmental organisations. (Controller in the GDPR).
- The operator: the person or organisation that process information on behalf of the responsible party (Processor in the GDPR)
Read the official text of the POPIA here.
Who is POPIA applicable to?
POPIA or the POPI Act applies to organisations processing (collecting, using or otherwise handling) the personal information of South Africans.
- Under POPIA, personal information can be related to a “natural person” (a human being) and also a “juristic person” i.e. an independent legal entity such as a company.
- The law applies to any data processor that is domiciled (legally based) in South Africa.
- POPIA also applies to processors outside of South Africa if they “ makes use of automated or non-automated means” in the country.
Exemptions under POPIA include:
- Personal information processed for personal purposes or household activity
- The data processor is a public body involved in national security, defence, public safety, anti-money laundering or Cabinet or Executive Council of the Province or as part of a judicial function.
What is personal information in POPIA?
Personal information is defined as “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.” This information about a person includes, but is not limited to:
- Name and age
- Gender/sexual orientation
- Marital status
- National, ethnic, or social origin
- Religion, beliefs, or culture
- Educational, medical, financial, criminal, or employment history
- ID number
- Email address, contact number
- Physical address
- Photo, video, voice recordings
- Biometric information
What are the data subject rights in POPIA?
- Right to be notified that the data subject’s personal information is collected (including access by an unauthorized person)
- Right to request access personal information
- Right to request correction, destruction or deletion of personal information
- Right to object (on reasonable grounds) to the processing of personal information
- Right to object (on reasonable grounds) to the processing of personal information
- Right to object processing for the purpose of direct marketing by means of unsolicited electronic communications
- Right to not be subject to decisions based solely on automated processing of personal information
- Right to submit a complaint to the Information Regulator
- Right to initiate civil proceedings for any violation
What are the principles of data processing in POPIA?
POPIA sets out eight conditions for someone to use and process an individual’s personal information. They are:
- Accountability: The responsible party is accountable for compliance with the act i.e. they must ensure that the conditions for lawful processing are complied with.
- Processing limitation: Personal information must be processed lawfully and in a reasonable manner that does not infringe on the privacy of the data subject.
- Purpose specification: The responsible party must only collect personal information for a specific, explicitly defined purpose, and must not retain the information for longer than necessary to meet that purpose.
- Further processing limitation: The responsible party should only process the information they need to adequately fulfil the purpose for which it is being used.
- Information quality: The responsible party must ensure the personal information collected is complete, accurate, up-to-date and not misleading.
- Openness: The responsible party must main the documentation of all processing and take steps to ensure information is provided to the data subject transparently.
- Security safeguards: The responsible party must (i) take reasonable technical and organizational measures to secure personal information and (ii) ensure that the operator who processes personal information for the business establishes and maintains these security measures. (iii) notify the regulator and the data subject as soon as reasonably possible, in case of a data breach or compromise.
- Data subject participation: The responsible party must allow data subjects to access their personal information, including the identity of any third parties it is shared with. Businesses may also be required to correct, delete or destroy personal information.
What does POPIA say about consent?
POPIA states that personal information may only be processed if the data subject consented unless the individual already has a contract in place with an organisation and where the processing of their personal information is required in terms of the contract, or where there is a reason in law for collecting or processing personal information
POPIA defines consent as:
“voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.”
Similar to GDPR consent requirements, consent must be:
- Voluntarily i.e. the data subject must have an active choice and consent should not be made conditional for using a product, service etc. This means cookie walls are not permissible under POPIA.
- Specific i.e. consent should also be taken for a specific purpose and cannot be vague, or ambiguous. POPIA states that the “personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party”. For instance, if consent is required for sending marketing emails, take explicit consent for only that purpose.
- Informed i.e. the data subject should be made aware of what they are consenting to and how their data will be processed upfront.
What are the exemptions from consent in POPIA?
- Contract: The processing is necessary to carry out actions as per the contract to which the data subject is a party.
- Legal obligation: The processing is required to fulfil an obligation imposed by law on the responsible party.
- Legitimate interest: The processing is in the interest of the data subject.
- Performance of law: The processing is necessary for the performance of a public law duty by a public body.
- Legitimate interest: The processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
How can you comply with POPIA?
To POPIA-proof your website and get valid consent from users or customers, here’s a POPIA compliance checklist:
- Provide an opt-in mechanism to consent whenever users are asked for their personal information.
- To get consent for direct marketing (email, calls SMS etc.), make a consent request via Form 4 of POPIA (here’s an example).
- Give users an easy method to opt-out or withdraw consent from direct marketing communications, such as an unsubscribe link in an email.
- Be clear that you are requesting consent for a specific purpose. Consent should not be bundled with other terms and conditions.
- Give consumers a method to exercise their free choice such as by the option to tick a checkbox or click a button.
- Keep records of when and how consent was obtained and the purpose to which the user gave consent.
- Give users the ability to withdraw consent in an easy way.
How does POPIA affect cookie consent?
If you are a website owner with visitors from South Africa, here are the POPIA cookie consent requirements that need to comply with:
- Get consent from visitors through cookie banners before deploying cookies on their browser
- Block third-party scripts from loading till the user gives consent
- Keep a record of visitors cookie consent and how it was obtained for proof of compliance
- Use a cookie consent solution to collect and manage your cookie consent
CookieYes for POPIA compliance
CookieYes is a cookie consent solution used by over 1 million websites worldwide for compliance with privacy laws like GDPR, CCPA, LGPD and POPIA.
With CookieYes, you can:
- Generate a cookie consent banner with full customization
- Conduct periodic cookie scan of your website for an up-to-date cookie list
- Give users granular control to selectively enable or disable cookie categories
- Auto-block third-party cookies like Google Analytics, Hotjar, Facebook pixels prior to getting user consent
- Record user consent and their cookie preferences
- Manage all your cookie compliance requirements in a single dashboard
What are the penalties for non-compliance with POPIA?
The legislation allows for the following penalties:
- A fine between 1 Million and 10 Million ZAR or
- Imprisonment of 1 to 10 years
- The payment for damages incurred to the data subject as per POPIA’s private right of action.
Who is the regulator of POPIA?
POPIA South Africa establishes an Information Regulator, first appointed in December 2016, that has spent close to 5 years preparing for the rollout of the regulation. The office of the Information Regulator will be responsible for enforcing the legislation.
- POPIA gives the Information Regulator the extensive powers to investigate and fine responsible parties.
- Data subjects can register their complaint with the Information Regulator, who will then initiate action on behalf of data subjects.
Is POPIA the same as GDPR?
POPIA or POPI Act shares many similarities with the GDPR, including principles of transparency, accountability, security, data minimisation, and the rights of data subjects. If your business is subject to both regulations, here’s a helpful comparison between the two.
POPIA vs GDPR
|Protection of Personal Information Act (POPIA)||General Data Protection Regulation (GDPR)|
|Personal scope||Applies to the data subject who is an identified or identifiable natural person.||Applies to the data subject who is a natural person or a juristic person.|
|Territorial scope||Applies to organizations that are based in South Africa or process personal data in South Africa.||Applies to any organization that processes the personal data of EU residents.|
|Regulator||Established an Information Regulator under Section 39 of POPIA.||Member states can establish a Supervisory Authority and determine its roles and responsibilities.|
|Penalties||Maximum fine of 10 million ZAR (approx. €490,000). Provision for up to 10 years of imprisonment.||Up to 4% of global annual turnover or €20 million. The GDPR does not establish provisions for imprisonment.|
|Data transfer||Cross-border transfers are permitted to a third country or organization party that that has an adequate level of protection as determined by the EU Commission.||Prohibits the international transfer unless the recipient is subject to a law, binding corporate rules, or binding agreement which provide an adequate level of protection|
|Data breach||Data breach must be notified to the supervisory authority without undue delay within 72 hours after the discovery of the breach.||Data breach must be notified as soon as reasonably possible after the discovery of the compromise.|
FAQ on POPIA South Africa
What does POPIA mean in South Africa?
Protection of Personal Information (POPI) Act or POPIA is a South African privacy law that mandates the sets conditions of lawful processing of personal information processed by public and private bodies, regulates the international flow of personal information, and defines the rights of data subjects.
Is the POPI Act in effect in South Africa?
Yes, POPIA or POPI Act is currently in effect in South Africa. The POPIA came into effect on July 1, 2020, with a 12-month grace period for businesses to comply. The deadline was July 1, 2021.
Which country does the POPI Act apply to?
POPI Act applies to every business in South Africa, including international companies that does business in South Africa, that collects, uses, stores or process personal information from a data subject (natural or legal entity) in South Africa. Under POPIA, the data subjects include all South Africans (citizens and residents).
Who must register for POPI Act?
A business that fits the criteria for POPIA compliance, should register their Information Officer with the Information Regulator by 1 July 2021 via the Registration Portal on their official website.
Note that every single organisation in South Africa has an Information Officer as per the Promotion of Access to Information Act or PAIA in South Africa. Please read this guide on information officer for details.