The Protection of Personal Information Act, generally known as the PoPI Act or POPIA, has been several years in the making. First assented to in November 2013, the Regulations were only promulgated in December 2018. The entire Act other than Sections 110 and 114(4) commenced on 1 July 2020, while the last-mentioned two sections take effect on 30 June 2021.
The Act intends to promote the protection of personal information processed by public and private bodies; to introduce certain conditions so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Protection Regulator to exercise certain powers and to perform certain duties and functions in terms of this Act and the Promotion of Access to Information Act, 2000; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic communications and automated decision making; to regulate the flow of personal information across the borders of the Republic and to provide for matters connected therewith.
The Protection of Personal Information Act, 2013 is generally also referred to as POPIA. It governs when and how organisations collect, use, store, delete and otherwise handle personal information of living individuals and existing juristic entities.
POPIA is South Africa’s data privacy law, joining the global network of countries who have privacy laws in operation. It applies to all local and foreign enterprises who process, collect, use or otherwise handle personal information in South Africa.
All enterprises have until 30 June 2021 to become compliant.