POPIA – one year later

02 August 2022 Nadia Verappen, Compliance Officer at Compli-Serve SA
Nadia Verappen, Compliance Officer at Compli-Serve SA

Nadia Verappen, Compliance Officer at Compli-Serve SA

Typing in your ID number at record speed is a newly acquired skill as organisations seem to abandon a risk-based approach in fear of retribution from the Information Regulator.

There is not a single form of communication from an organisation that does not require a password in an attempt to avoid the exploitation of our personal data. So, one year later, how has South Africa’s new era of privacy faired? As we all clambered towards compliance with POPIA regulation, what has changed apart from the password debacle?

POPIA is intended to give individuals increased control over how their personal data is collected and used. In doing this, it also opens new risks for organisations that handle personal data. Yet, despite this and the increased controls in place, storing and selling personal data is still a booming industry.

Unfortunately, industries that store valuable information like the healthcare and finance industry are the main targets for hackers. As hackers and scammers use social engineering, phishing scams and your social media account against you, organisations are spending fortunes on firewalls, cyber security, and data experts in developing processes to keep information secure.

The battle for data privacy is hard fought and often lost even by big organisations, like Dischem and credit reporting giant TransUnion. As the war against data privacy breaches rages on, the visibility of the Information Regulator is being questioned.

Despite the lack of fines and our inability to register Information Officers via the Information Regulator's website, this is in line with international standards as it took almost two years for the first General Data Protection Regulation (GDPR) fine to be issued. As we look to the Information Regulator who is empowered to monitor and enforce compliance by public and private bodies with the provisions of the POPIA Act, we wait for them to continue to develop their framework.

This provides further opportunity for organisations to stress test the robustness of their POPIA controls by assessing privacy risks that exist throughout their processing activities, and to perform personal information impact assessments that ensure adequate safeguards are implemented to mitigate such risks.

While doing this, organisations must take heed that the Information Regulator has extended the reach of its regulatory mandate functions with the inclusion of the Promotion of Access to Information Act (PAIA). This is in relation to the main objectives of PAIA, which are to promote transparency, accountability, and effective governance of all public and private bodies. This will further assist members of the public to effectively scrutinise and participate in decision making by public bodies.

Furthermore, PAIA ensures that the state promotes a human rights culture and social justice. The aim is that the inclusion of PAIA will encourage openness and access to information in an expedient, cost-effective and consumer-friendly manner.

While there is no doubt that fines are likely to change policies and practices and will provide a sense of urgency to those who are lagging in compliance, the time for better governance for technology and data collection was yesterday.

Quick Polls


Each year ordinary consumers and their financial and wealth advisers flock to dozens of asset manager ‘outlook’ presentations to find out about economic and investment trends, and the next ‘hot’ company. What do you want asset managers to share during these events?


Asset allocation strategies
Big picture investment themes and how to position portfolios for them
Investment methodologies and historic fund yields
Share tips by the score
fanews magazine
FAnews June 2022 Get the latest issue of FAnews

This month's headlines

A free smoothie does not make a loyal customer
Consequential loss policy court cases
Everything you need to know about death, disability and severe illness cover post-emigration
Are advisers doing all they can for clients’ portfolios?
Financial advisers need help - navigating the complex ESG fund environment
Subscribe now