• Mastering Compliance News by Masthead

The Protection of Personal Information Act (POPIA) is set to take effect on 1 July 2020

On 22 June 2020, the President issued a Proclamation regarding the commencement of certain sections of the POPI Act, these refer to: sections 2 to 38; 55 to 109; 111 and 114(1), (2) and (3), which will all take effect on 1 July 2020. These sections deal with, inter alia, the purpose of the Act, the application and exclusion provisions, the lawful processing of personal information and exemptions thereof, sections relating to the Information Officer, prior authorisation, codes of conduct issued by the Information Regulator, provisions regulating direct marketing by means of unsolicited electronic communications, enforcement, complaints, offences and penalties.

The Proclamation also states that sections 110 and 114(4,) will come into effect on 30 June 2021. These sections deal with the transfer of the enforcement of the Promotion of Access to Information Act (PAIA) from the South African Human Rights Commission (SAHRC) to the Information Regulator.

It is important to note that section 114(1) of POPIA provides a grace period of 1 year to be fully compliant with the Act – therefore all entities must be fully compliant with the provisions of POPIA by 1 July 2021. The grace period should be used to put compliance processes in place.

Click here to read the Proclamation.


POPIA was signed into law in 2013 but did not take full effect at the time. Various developments have since taken place such as the appointment of the Information Regulator in 2016 and final POPI Regulations which were published in 2018.

The act aims to protect personal information, falling into the broader Constitutional right to privacy. POPIA seeks to regulate every step of the processing of personal information from how personal information must be handled when it is collected until the time it is destroyed. But what exactly should be considered as personal information and what does processing mean?

Personal information broadly means any information relating to an identifiable, living, natural person or where applicable, an identifiable, existing juristic person (companies, CC’s etc.) and includes, but is not limited to:

  • contact details: such as email addresses, telephone numbers, physical addresses etc.

  • demographic information: such as age, sex, race, ethnicity etc.

  • information relating to the education or medical, financial, criminal, or employment history of the person

  • biometric information: such as fingerprints

  • the personal opinions, views or preferences of the person

  • the views or opinions of another individual about the person

  • private correspondence sent by the person or further correspondence that would reveal the contents of the original correspondence

  • The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

Processing means anything that can be done with the Personal Information including collection, usage, storage, dissemination, modification, or destruction.

POPIA and Financial Advisors

It is crucial for every individual that processes personal information to understand the requirements of POPIA. Business owners, Directors and Key Individuals need to understand the principles of POPIA from both an internal and external perspective i.e. external being how client information is processed while internal refers to HR processes and how employees personal information is processed. Adequate security measures and POPIA related policies and procedures will need to be implemente