Kickstart your POPIA compliance and avoid legal fines

Personal information in POPIA is defined as "information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person." It is important to note that POPIA's definition of PI also includes a juristic person, i.e. an organization recognized by law to have rights and responsibilities like a natural person.

This information about a person includes but is not limited to demographic details like name, age, race, gender, contact information such as email address, physical address, phone number, financial, employment and educational information, medical history and biometric information.

There are some exceptions to the applicability of POPI Act South Africa. It does not apply if:

• Data processing is carried out for personal or household activity,
• Data is de-identified and cannot be re-identified again
• Data processing is done by or on behalf of a public body
  • For national security
  • For the purpose of prevention, detection, and assistance in the identification of the proceeds of unlawful activities
  • By the Cabinet and its committees or the Executive Council of a province
  • Judicial functions of a court or
  • Terrorist and related activities

POPIA limits the transfer of personal data outside South Africa unless at least one of the prescribed safeguards set out by the Act is met and the transfer does not put the personal information at risk of breach of confidentiality or security.

Section 72 of POPI Act sets out the conditions for the cross-border transfer of personal information. These include consent from the data subject, the recipient of the PI is subject to Binding Corporate Rules (BCRs) and processing conditions should be established "in harmony with international standards" and if the transfer is necessary to fulfil the terms of a contract.

The Information Regulator is the regulatory authority for POPI Act South Africa. It is the independent statutory body established by the Act and is responsible for monitoring and enforcing POPIA compliance by public and private bodies. 

The Information Regulator has the power to investigate complaints, issue fines and take legal action against non-compliant entities. It will regulate both POPIA and the Promotion of Access to Information Act or PAIA.

The GDPR has extra-territorial scope, meaning entities outside of the EU/EEA that collect the personal data of EU/EEA residents can come under the purview of GDPR. 

This means businesses in South Africa that process the personal data of EU consumers must ensure that it is adequately protected, in accordance with GDPR standards. 

As POPI Act of South Africa shares many similarities to GDPR, compliance with POPIA can also be a step towards compliance with GDPR.

Here are some links you can refer to for additional reading:

• Official Text of POPIA
• Simplified Guide on POPIA South Africa