A year to get to grips with POPI

03 February 2014 Catherine Berry, Camargue

Although the actual commencement date of the Protection of Personal Information Act No. 4 of 2013 (POPI) is yet to be determined by the President, it has been made very clear that when this date is confirmed, organisations will have one year to demonstrate compliance with this legislation.

Enacted on 26 November 2013, POPI is intended to bring South Africa in line with international data protection laws. To avoid non-compliance, organisations should immediately assess the impact of POPI on their organisation, and begin to mitigate their risks by compiling and implementing an appropriate plan of action which will see the organisation comply with all the inherent requirements of the Act.

Improving the landscape

Section 14 of the Constitution of the Republic of South Africa 1996 provides that everyone has the right to privacy, which includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.

POPI will promote the protection of personal information processed by public and private bodies by introducing certain conditions in order to establish minimum requirements for the processing of personal information of individuals or of juristic persons.

Furthermore, the Act provides for the establishment of an Information Regulator to exercise certain powers and to perform particular duties in terms of the Act. The Act extends to the provision of the rights of persons regarding unsolicited electronic communications and automated decision making. It also seeks to regulate the flow of personal information across the borders of the Republic of South Africa.

Taking King III into account

While POPI is the latest and most comprehensive piece of South African legislation to govern personal information, it should be noted that King Code III deals extensively with the issue of information technology governance.

King III notes that information technology is an integral part of the business and it is fundamental to support, sustain and grow a business.

The reliance on information technology systems, the emergence and evolution of the internet, ecommerce, online trading and electronic communication allows companies to conduct business electronically and perform transactions instantly. These developments bring about significant risks and should be well governed and controlled. Thus, King III notes that, in directors’ exercise of duty of care, they should ensure that prudent and reasonable steps have been taken in regard to information technology governance.

Further hereto, King III puts forward the following principles pertaining to information technology:

- The board should be responsible for information technology governance.
- IT should be aligned with the performance and sustainability objectives of the company.
- The board should delegate the responsibility for the implementation of an IT governance framework to management.
- The board should monitor and evaluate significant IT investments and expenditure.
- IT should form an integral part of the company’s risk management.
- The board should ensure that information assets are managed effectively.
- A risk committee and audit committee should assist the board in carrying out its IT responsibilities.

Applications of the principles

POPI sets out eight conditions that responsible parties will need to take into consideration for the processing of personal information to be lawful.

Condition seven of POPI deals with security safeguards and states that a responsible party must secure the integrity and confidentiality of any personal information in its possession by implementing appropriate, reasonable technical and organisational measures to prevent loss, damage and unauthorised and unlawful access to the personal information in its possession. Furthermore, the Regulator and the data subject are to be notified when there are reasonable grounds to believe that the personal information of that data subject has been accessed or acquired by an unauthorised person.

Non-compliance may result in administrative fines, maximum R10 million, or imprisonment for a maximum period ten years. Companies are encouraged to pre-empt the implementation of this Bill by adopting compliance measures as this Act will have a significant impact on the industry.


Quick Polls


By now you most probably have a favorite!!! No, not the one you are routing for to win, but a favorite, favorite. A contestant that you prefer to all others, who is especially well-liked. Is it:


Amogelang Kgaladi
JP Ellis
Kanchaal Mahabeer
Memory Zimba
Nabeelah Maharaj
Sebastian Reddy
Siphamandla Dube
Vicky Sebothoma
Yaseen Essop
A E fanews magazine
FAnews February 2020 Get the latest issue of FAnews

This month's headlines

2020… The start of a new decade
Updates to the insurance regulatory framework
Funding in the golden years… Past the 100s
Anticipate unprecedented types of claims
Risk trends and their interconnections
Digital transformation in healthcare
Global bond investments getting riskier
Subscribe now