Are we ready for POPI?

Online since 5.09.2017 • Filed under Communication & Media • From Issue 6 - September 2017 - February 2018 page(s) 58-59
Are we ready for POPI?

The Protection of Personal Information Act, 2013 (Act No. 4 of 2013), or POPI, has only been partially implemented, with the focus mainly on establishing a national Information Regulator. But many commentators believe that full implementation will probably not be delayed past 2018.

Teryl Schroenn, CEO of Accsys believes that most organisations are not adequately prepared for compliance. ‘At conferences, we see a small show of hands when asking how many have POPI-ready systems and processes in place.’ She asserts that a successful POPI rollout starts with total buy-in from senior executives and management. ‘Organisations need a strong committee with the authority to drive change. They’ll also require thorough guidance from legal, subject matter, technical and change management experts.’


It’s important to have at least a broad understanding of the Act. There are eight conditions that data collectors must meet:

1. Making themselves accountable to the law

2. Limiting personal information collection and use to a minimum

3. Collecting data for a specified purpose only

4. Allowing third party processing only in terms of the original purpose

5. Preserving the quality of the data

6. Documenting how the data is processed, and informing the subject of its use and effect

7. Securing the integrity and confidentiality of the data

8. Ensuring the data subject has access to and control of their information.


The Act establishes an information regulator tasked with providing public services for and enforcing POPI. Data collectors must appoint an information officer as per the Promotion of Access to Information Act 2 of 2000. To use personal information for certain purposes, data collectors must obtain authorisation from the regulator first. These include processing data outside its original purpose, linking it to data from third parties, or transferring it to a foreign country lacking adequate protection.


Data subjects have specific rights regarding unsolicited electronic communications from direct marketers, being listed in public directories, and decisions made about them by automated decision-making processes. Restrictions for transmitting personal information to foreign countries apply but don’t prohibit the data collector from doing so when necessary to their function.


The Act dictates how complaints are processed, the conditions for warrants, search and seizure of data, how violations are assessed, and the right of a data collector to appeal. Certain acts are unlawful and may carry a prison sentence of up to 10 years or a fine of up to R10 million. However, the Regulator will consider the nature and extent of each transgression. Why should organisations implement POPI now? ‘While POPI provides a mandate for the cause, organisations should already be protecting their customers’ and employees’ information simply because it’s the right thing to do,’ Schroenn concludes.

Accsys is a South African software company specialising in people management solutions. Its solutions are developed in South Africa with an emphasis on local workplace conditions to fulfil the purpose of providing strategic solutions for people who manage people. For more information, visit

Issue 6 - September 2017 - February 2018

Issue 6 - September 2017 - February 2018

This article was featured on page 58-59 of SABI Magazine Issue 6 - September 2017 - February 2018 .

Share this

10th Annual Business Process Management take of 21 Sept 18
Power Week Africa Conference 2018 take off 15 Sept 18

Subscribe to our Digital Magazine (free)