This website uses cookies to ensure you get the best experience. If you continue to use this site without changing your cookie settings we assume you consent to the use of cookies on this site.

find an article

technology, media and telecommunications (TMT) | 17 Jun 2020
BY Era Gunning

technology, media and telecommunications (TMT)

POPIA “must haves”

While the Coronavirus (COVID-19) continues to affect every aspect of our lives, we cannot overlook the importance of privacy and data protection.

South Africa’s dedicated privacy and data protection legislation, the Protection of Personal Information Act, 2013 (“POPIA”) will come into force on a date to be determined by the president. Certain provisions relating to the establishment of the Information Regulator and the making of regulations under POPIA have however come into force on 11 April 2014. The regulator was appointed on 1 December 2016 and the final regulations were published on 14 December 2018.

The chairperson of the regulator, in January 2020, sent a request to President Cyril Ramaphosa to declare that the remaining provisions of POPIA commence on 1 April 2020. It was widely expected that the president would act on this request, but, presumably due to the outbreak of the COVID-19 pandemic, the commencement date was not proclaimed. It is currently uncertain when it will be proclaimed, but given the data-protection concerns in respect of remote education, working and the like, we expect it to be soon.

A responsible party, ie, a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information, will then be given a one year transitional period after the commencement date is proclaimed to comply with its provisions.

Subject to certain exclusions, POPIA applies to the automated or non-automated processing of personal information entered into a record in any form provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof. This processing must be done by or for a responsible party who or which is domiciled in South Africa, or not domiciled in South Africa, unless the processing relates only to the forwarding of personal information through South Africa.

How to demonstrate compliance

Responsible parties must ensure that the conditions for lawful processing of personal information set out in a chapter of POPIA are complied with whenever it processes personal information. In practice, compliance is demonstrated, among other things, by the following POPIA “must haves”:

  • the appointment of an information officer – in the absence of such appointment, this will automatically be the head of the organisation;
  • the making of certain mandatary disclosures to data subjects, including with whom their personal information is shared, eg, by means of a detailed privacy policy published on the organisation’s website which may be incorporated by means of reference in data-subject facing documents, such as terms and conditions;
  • the development, implementation, monitoring and maintenance of a POPIA compliance framework;
  • the conducting of personal information impact assessments to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;
  • the development, monitoring and maintenance of a manual as prescribed in the Promotion of Access to Information Act, 2002, which must reflect the amendments to PAIA set out in the Schedule to POPIA;
  • the development of internal measures, together with adequate systems, to process requests for information or access thereto;
  • the conducting of internal awareness and training sessions; and
  • the inclusion of certain mandatory provisions in agreements with operators (ie, independent contractors who process personal information on its behalf).

It is important to note that section 77H of POPIA provides: “The Information Regulator … may make an assessment … of whether a public or private body generally complies with the provisions of this Act insofar as its policies and implementation procedures are concerned.”

In addition, in terms of section 109(3), “when determining an appropriate fine, the Regulator must consider … any failure to operate good policies, procedures and practices to protect personal information”.

How ENSafrica’s POPIA toolkit can help achieve compliance

ENSafrica, in conjunction with a leading data privacy expert, has designed a POPIA toolkit based on international and local South African legal requirements and global best practice.

The POPIA toolkit is a comprehensive compliance programme, and is a quick and cost effective way for organisations to fast track POPIA compliance and effectively manage risk. We offer various toolkits ranging from “basic” to our “ultimate POPIA toolkit”, which can be tailor-made according to your organisation’s needs, comprising:

  • Introductory 2 hour POPIA awareness session (which can be conducted via MS Teams)
  • Simplified POPIA Guide
  • Comprehensive Data Protection Policy
  • POPIA Audit Questionnaire
  • POPIA - “Do and Do Nots”
  • Information Officer Appointment Letter
  • Document Retention Policy
  • Privacy Compliance Framework
  • Model POPIA Consent Clause
  • Personal Information Sharing Policy
  • PAIA Manual
  • External Privacy Statement
  • Website Privacy Policy
  • Cookie Policy
  • Internal Privacy Policy
  • Password Policy
  • Bring Your Own Device Policy
  • Operator Clauses
  • Photography Policy
  • CCTV Monitoring Policy
  • Security Compromises Policy
  • Subject Access Request Policy
  • Employee Contract / Job Application Form Model Clauses
  • Awareness Posters
  • Full day workshop on above documentation, including train the trainer (which can be conducted via MS Teams)


Era Gunning

Executive | Banking and Finance

+27 82 788 0827