The Protection of Personal Information Act (South Africa) - POPIA applies to any processing (collection, recording, organizing, sharing, using, storing etc.) of personal information by a responsible party (website, company or organization) located in South Africa or outside if they use means to process in South Africa.

Some of POPIA’s provisions went into effect in 2020, and the law came into full force in July 2021.

POPIA’s principles cover a wide range of data privacy concerns, including security breaches, identity, and data theft, user discrimination, violation of consent, children’s privacy rights, and more.

The law grants South Africans new data privacy rights such as the right to access, correction, erasure, and more.

What is POPIA?

In addition to what is possibly the cutest name for a data privacy law, POPIA also includes eight information protection principles for lawful data processing:

  • Accountability: This principle demands that we define who the responsible party is within the organization and assign the responsibility for all POPIA compliance to that specific individual.
  • Processing limitation: The general requirement here is that all data will be processed in a fair and lawful manner based on consent. This principle is focused on how the data was obtained, the user’s awareness, third-party involvement, excessive information gathering, and more.
  • Purpose specification: The law demands that information will only be gathered for specific, clear, predefined purposes. These goals must be communicated to users throughout the process, and the collection procedure’s scope should be limited.
  • Further processing limitation: If the processing of data has any secondary purposes, these must be directly tied to the original purpose that was first communicated to users. In other words, reusing data for different goals without consent is forbidden.
  • Information quality: This principle defined the responsibility to try and keep all collected information as updated and complete as possible. Specific measures should be taken to ensure that, and users should be given tools to update their own data as well as withdraw consent.
  • Openness: The responsible party should maintain a high level of transparency and let data subjects know how their data is handled before receiving consent. Businesses must present evidence for consent and for informing users of their data privacy rights.
  • Security safeguards: The data collected from customers should be protected, and companies need to present the procedures that identify users, prevent unauthorized access, alert users on breaches, and more.
  • Data subject participation: Customers can approach the company at any given moment to receive information regarding their personal data. They should be granted access and have a simple path towards consent withdrawal.