A year to get to grips with POPI

03 February 2014 Catherine Berry, Camargue

Although the actual commencement date of the Protection of Personal Information Act No. 4 of 2013 (POPI) is yet to be determined by the President, it has been made very clear that when this date is confirmed, organisations will have one year to demonstrate compliance with this legislation.

Enacted on 26 November 2013, POPI is intended to bring South Africa in line with international data protection laws. To avoid non-compliance, organisations should immediately assess the impact of POPI on their organisation, and begin to mitigate their risks by compiling and implementing an appropriate plan of action which will see the organisation comply with all the inherent requirements of the Act.

Improving the landscape

Section 14 of the Constitution of the Republic of South Africa 1996 provides that everyone has the right to privacy, which includes a right to protection against the unlawful collection, retention, dissemination and use of personal information.

POPI will promote the protection of personal information processed by public and private bodies by introducing certain conditions in order to establish minimum requirements for the processing of personal information of individuals or of juristic persons.

Furthermore, the Act provides for the establishment of an Information Regulator to exercise certain powers and to perform particular duties in terms of the Act. The Act extends to the provision of the rights of persons regarding unsolicited electronic communications and automated decision making. It also seeks to regulate the flow of personal information across the borders of the Republic of South Africa.

Taking King III into account

While POPI is the latest and most comprehensive piece of South African legislation to govern personal information, it should be noted that King Code III deals extensively with the issue of information technology governance.

King III notes that information technology is an integral part of the business and it is fundamental to support, sustain and grow a business.

The reliance on information technology systems, the emergence and evolution of the internet, ecommerce, online trading and electronic communication allows companies to conduct business electronically and perform transactions instantly. These developments bring about significant risks and should be well governed and controlled. Thus, King III notes that, in directors’ exercise of duty of care, they should ensure that prudent and reasonable steps have been taken in regard to information technology governance.

Further hereto, King III puts forward the following principles pertaining to information technology:

- The board should be responsible for information technology governance.
- IT should be aligned with the performance and sustainability objectives of the company.
- The board should delegate the responsibility for the implementation of an IT governance framework to management.
- The board should monitor and evaluate significant IT investments and expenditure.
- IT should form an integral part of the company’s risk management.
- The board should ensure that information assets are managed effectively.
- A risk committee and audit committee should assist the board in carrying out its IT responsibilities.

Applications of the principles

POPI sets out eight conditions that responsible parties will need to take into consideration for the processing of personal information to be lawful.

Condition seven of POPI deals with security safeguards and states that a responsible party must secure the integrity and confidentiality of any personal information in its possession by implementing appropriate, reasonable technical and organisational measures to prevent loss, damage and unauthorised and unlawful access to the personal information in its possession. Furthermore, the Regulator and the data subject are to be notified when there are reasonable grounds to believe that the personal information of that data subject has been accessed or acquired by an unauthorised person.

Non-compliance may result in administrative fines, maximum R10 million, or imprisonment for a maximum period ten years. Companies are encouraged to pre-empt the implementation of this Bill by adopting compliance measures as this Act will have a significant impact on the industry.


Quick Polls


Do you believe this is the toughest period for financial advice in many years?


Yes, it’s hard to navigate the challenges and difficult to adapt. I’m struggling.
No, I have managed to navigate the challenges and have adapted. I’m good.
50/50. I just feel like whether we like it or not, we have to ready ourselves for change… be resilient and scale for the future. It’s not about survival of the fittest anymore but survival of the quickest. We just have to move on with life.
fanews magazine
FAnews October 2021 Get the latest issue of FAnews

This month's headlines

IFA nuggets: Prospecting for clients
FSCA weighs in as universal life policy premiums rocket
No short cuts for the short term broker
Investment lessons worth sharing
Tightening of policy wordings… likely in the future?
Subscribe now