South Africa: The Protection of Personal Information Act

« Back to Glossary Index

The Protection of Personal Information Act (POPIA) is South Africa’s primary data privacy regulation law. The act was signed into law in November 2013, but enforcement only began in July 2020. The purpose of POPIA is to promote the protection of personal information processed by public and private entities.

POPIA applies to all South African organizations, as well as foreign organizations that process personal information in South Africa. The act defines personal information as any information relating to an identifiable, living, natural person or an identifiable, existing juristic person.

POPIA requires organizations to obtain the individual’s consent before collecting, using, or disclosing their personal information. Organizations must also inform individuals about the purpose of the data collection, any third-party recipients, and their rights to access, correct, or delete their personal information.

Under POPIA, organizations must implement appropriate security safeguards to protect personal information from loss, damage, unauthorized access, and other forms of misuse. If a data breach occurs, organizations must notify both the Information Regulator and affected individuals within a reasonable time.

POPIA imposes significant fines and other penalties for non-compliance, including fines of up to ZAR 10 million (approximately USD 700,000) and imprisonment of up to 10 years.

In conclusion, POPIA is an important data privacy regulation law in South Africa that sets requirements for organizations to protect personal information. Organizations must obtain consent for data collection, implement appropriate security safeguards, and notify affected individuals in the event of a data breach. Failure to comply with POPIA can result in significant fines and other penalties.

Download this Resource